diff --git a/Dockerfile.ubi b/Dockerfile.ubi
index 4359730..d741643 100644
--- a/Dockerfile.ubi
+++ b/Dockerfile.ubi
@@ -3,7 +3,7 @@ ARG BASE_IMAGE
 
 FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE} AS SRC
 
-FROM ${BASE_IMAGE:-registry.access.redhat.com/ubi9/ubi:latest} AS ubi
+FROM ${BASE_IMAGE:-registry.access.redhat.com/ubi9/ubi:9.7} AS ubi
 ARG TARGETARCH
 
 
@@ -20,7 +20,21 @@ RUN mkdir /image && \
 COPY ubi-build-files-${TARGETARCH}.txt /tmp
 # Copy all the required files from the base UBI image into the image directory
 # As the go binary is not statically compiled this includes everything needed for CGO to work, cacerts, tzdata and RH release files
-RUN tar cf /tmp/files.tar -T /tmp/ubi-build-files-${TARGETARCH}.txt && tar xf /tmp/files.tar -C /image/
+# Filter existing files and exclude temporary entitlement files that may be removed during build
+RUN while IFS= read -r file; do \
+      [ -z "$file" ] && continue; \
+      if [ -e "$file" ] || [ -L "$file" ]; then \
+        echo "$file"; \
+      fi; \
+    done < /tmp/ubi-build-files-${TARGETARCH}.txt > /tmp/existing-files.txt && \
+    if [ -s /tmp/existing-files.txt ]; then \
+      tar -chf /tmp/files.tar --exclude='etc/pki/entitlement-host*' -T /tmp/existing-files.txt 2>&1 | grep -vE "(File removed before we read it|Cannot stat)" || true; \
+      if [ -f /tmp/files.tar ]; then \
+        tar xf /tmp/files.tar -C /image/ 2>/dev/null || true; \
+        rm -f /tmp/files.tar; \
+      fi; \
+    fi && \
+    rm -f /tmp/existing-files.txt
 
 # Generate a rpm database which contains all the packages that you said were needed in ubi-build-files-*.txt
 RUN rpm --root /image --initdb \