diff --git a/.github/workflows/debian-build.yaml b/.github/workflows/debian-build.yaml
index 0f6cae8616..d1db48347f 100644
--- a/.github/workflows/debian-build.yaml
+++ b/.github/workflows/debian-build.yaml
@@ -173,7 +173,9 @@ jobs:
           docker-image: ubuntu:${{ inputs.ubuntu-version }}
           # Add the Go backports PPA if we're testing a Ubuntu release which
           # doesn't have the required Go version in main.
-          extra-apt-repositories: ${{ (inputs.ubuntu-version == 'noble' || inputs.ubuntu-version == 'questing') && 'ppa:ubuntu-enterprise-desktop/golang' || '' }}
+          extra-apt-repositories: |
+            ${{ (inputs.ubuntu-version == 'noble' || inputs.ubuntu-version == 'questing') && 'ppa:ubuntu-enterprise-desktop/golang' || '' }}
+            ${{ (inputs.ubuntu-version == 'noble' && 'ppa:maxgmr/lp2100266-2' || '') }}
           # Extra build dependencies:
           # - systemd-dev: Required to read compile time variables from systemd via pkg-config.
           extra-source-build-deps: |
diff --git a/debian/control b/debian/control
index 16a917b89b..30af373700 100644
--- a/debian/control
+++ b/debian/control
@@ -11,7 +11,12 @@ Build-Depends: debhelper-compat (= 13),
                dh-exec,
                dh-golang,
                dctrl-tools,
-               cargo (>= 1.82) | cargo-1.82,
+# FIXME: We need a newer cargo to be able to update our Rust dependencies.
+# These are the newest versions currently available in the active Ubuntu releases:
+# * Noble: cargo-1.91
+# * Questing: cargo-1.88
+# * Resolute: cargo (>= 1.91)
+               cargo (>= 1.91) | cargo-1.91 | cargo-1.88,
 # FIXME: We need cargo-vendor-filterer starting from plucky, but noble isn't ready yet
 # so workaround it, making it kind of optional, and requiring it only on versions after
 # noble (controlled via base-files version that matches the one in noble).
diff --git a/debian/get-depends-cargo-bin-path.sh b/debian/get-depends-cargo-bin-path.sh
new file mode 100755
index 0000000000..2270bcdbbf
--- /dev/null
+++ b/debian/get-depends-cargo-bin-path.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -eu
+
+debian_path=$(dirname "$0")
+min_cargo_versions=$(grep-dctrl -s Build-Depends -n - "${debian_path}"/control | \
+    grep -v '^\s*#' | \
+    grep -oP '(?<=cargo-)[0-9.]+')
+
+if [ -z "${min_cargo_versions}" ]; then
+    echo >&2 "No cargo version specified in Build-Depends."
+    exit 1
+fi
+
+default_cargo_wrapper="/usr/share/cargo/bin/cargo"
+default_cargo_wrapper_dir="${default_cargo_wrapper%/cargo}"
+default_cargo_version=$(dpkg-query -W -f='${Version}' cargo 2>/dev/null || true)
+
+for min_cargo_version in ${min_cargo_versions}; do
+    versioned_cargo_wrapper="/usr/lib/rust-${min_cargo_version}/share/cargo/bin/cargo"
+    versioned_cargo_wrapper_dir="${versioned_cargo_wrapper%/cargo}"
+    versioned_bin_dir="/usr/lib/rust-${min_cargo_version}/bin"
+
+    if [ -x "${default_cargo_wrapper}" ] && \
+       dpkg --compare-versions "${default_cargo_version}" ge "${min_cargo_version}" 2>/dev/null; then
+        echo >&2 "Using default cargo at ${default_cargo_wrapper} (version ${default_cargo_version})"
+        echo "${default_cargo_wrapper_dir}"
+        exit 0
+    else
+        echo >&2 "Default cargo at ${default_cargo_wrapper} does not meet the minimum version requirement of ${min_cargo_version} (found version '${default_cargo_version}')."
+    fi
+
+    if [ -x "${versioned_cargo_wrapper}" ]; then
+        echo >&2 "Using versioned cargo at ${versioned_cargo_wrapper}"
+        echo "${versioned_cargo_wrapper_dir}:${versioned_bin_dir}"
+        exit 0
+    fi
+
+    echo >&2 "Versioned cargo at ${versioned_cargo_wrapper} does not exist or is not executable."
+done
+
+echo >&2 "No suitable cargo version found for minimum required version ${min_cargo_versions}."
+exit 1
diff --git a/debian/rules b/debian/rules
index 0539b8f255..4c6464e516 100755
--- a/debian/rules
+++ b/debian/rules
@@ -21,9 +21,6 @@ export DH_GOLANG_INSTALL_ALL := 1
 # as long as it matches the go.mod go stenza which is the language requirement.
 export GOTOOLCHAIN := local
 
-# Use the debian cargo wrapper
-export CARGO_PATH := /usr/share/cargo/bin/cargo
-
 # Needed for Rust vendored sources tracking
 export CARGO_VENDOR_DIR := $(CURDIR)/vendor_rust
 
@@ -50,10 +47,14 @@ export DH_GOLANG_BUILDPKG := \
 	$(AUTHD_GO_PACKAGE)/pam \
 	$(NULL)
 
-# We add the required backported version to the $PATH so that if it exists, then
-# we can use it. Otherwise we default to the go installed in original $PATH that
-# always matches with the latest available go version in the archive.
-export PATH := $(shell printenv PATH):$(shell ./debian/get-depends-go-bin-path.sh)
+# Prepend the following paths to PATH:
+# * The cargo wrapper. This will either be the path to the wrapper installed by
+#   dh-cargo, or the path to the wrapper installed by the cargo-$VERSION package.
+# * The Go executable from the backported Go package. It's possible that no
+#   backported Go package is installed, because the golang-go package already
+#   satisfies the dependency. It's still fine to also add the path in that case,
+#   it will be ignored if it doesn't exist.
+export PATH := $(shell ./debian/get-depends-cargo-bin-path.sh):$(shell ./debian/get-depends-go-bin-path.sh):$(shell printenv PATH)
 
 BUILDDIR := $(CURDIR)/obj-$(DEB_HOST_GNU_TYPE)
 
@@ -89,7 +90,7 @@ override_dh_auto_configure:
 	# TODO: Drop this when we won't care about noble anymore.
 	if ! command -v cargo-vendor-filterer 2>/dev/null; then \
 		env DEB_CARGO_CRATE="$(DEB_SOURCE)_$(DEB_VERSION_UPSTREAM)" \
-		  $(CARGO_PATH) prepare-debian "$(CARGO_VENDOR_DIR)"; \
+		  cargo prepare-debian "$(CARGO_VENDOR_DIR)"; \
 	else \
 	    echo "cargo version: $$(cargo --version)"; \
 	    echo "cargo-vendor-filterer version: $$(cargo-vendor-filterer --version)"; \
@@ -105,7 +106,9 @@ override_dh_auto_build:
 	DH_GOLANG_GO_GENERATE=1 dh_auto_build -- $(AUTHD_GO_PACKAGE)/pam
 
 	# Build the NSS library
-	$(CARGO_PATH) build --release
+	echo "PATH: $(PATH)"
+	echo "Building NSS library with $$(which cargo) ($$(cargo --version))"
+	cargo build --release
 
 	# Build the daemon
 	dh_auto_build -- $(AUTHD_GO_PACKAGE)/cmd/authd
diff --git a/debian/vendor-rust.sh b/debian/vendor-rust.sh
index 1fedf6e1d1..0d6275e9bd 100755
--- a/debian/vendor-rust.sh
+++ b/debian/vendor-rust.sh
@@ -13,10 +13,12 @@ if ! command -v cargo-vendor-filterer 2>/dev/null; then
 fi
 
 # Print the versions of cargo and cargo-vendor-filterer for debugging purposes.
-echo "Using cargo version: $(${CARGO_PATH} --version)"
+echo "PATH: $PATH"
+echo "Using cargo: $(which cargo)"
+echo "Using cargo version: $(cargo --version)"
 echo "Using cargo-vendor-filterer version: $(cargo-vendor-filterer --version)"
 
 # Some crates are shipped with .a files, which get removed by the helpers during the package build as a safety measure.
 # This results in cargo failing to compile, since the files (which are listed in the checksums) are not there anymore.
 # For those crates, we need to replace their checksum with a more general one that only lists the crate checksum, instead of each file.
-${CARGO_PATH} vendor-filterer "${CARGO_VENDOR_DIR}"
+cargo vendor-filterer "${CARGO_VENDOR_DIR}"