diff --git a/NEWS.md b/NEWS.md
index f65337f49..bac0e1e3a 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -62,6 +62,13 @@
 - `Profile=` is renamed to `Profiles=` and takes a comma separated list of
   profiles now. Scripts now receive `$PROFILES` with a space-separated list
   of profiles instead of `$PROFILE`.
+- Multiple sync, prepare, build, postinst, finalize, postoutput and clean scripts are now picked up from
+  `mkosi.$SCRIPT.d`.
+- `run0` is now automatically used to escalate privileges for commands that need it, like the `burn` verb.
+- `/usr/share/keyrings` and `/usr/share/distribution-gpg-keys` are no longer automatically picked up from the
+  tools tree when `ToolsTreeCertificates=` is set, since they aren't certificates, use a sandbox tree
+  instead. This allows to override `SignedBy=` keys for APT repositories.
+- The `agetty.autologin` and `login.noauth` credentials are no longer set unconditionally.
 
 ## v24
 
diff --git a/mkosi/config.py b/mkosi/config.py
index 4ab7824a0..072086452 100644
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -2024,7 +2024,6 @@ def parse_ini(path: Path, only_sections: Collection[str] = ()) -> Iterator[tuple
         section="Config",
         parse=config_make_list_parser(delimiter=",", parse=make_path_parser()),
         paths=("mkosi.configure",),
-        recursive_paths=("mkosi.configure.d/",),
         help="Configure script to run before doing anything",
     ),
     ConfigSetting(
@@ -2254,6 +2253,7 @@ def parse_ini(path: Path, only_sections: Collection[str] = ()) -> Iterator[tuple
         section="Output",
         parse=config_make_list_parser(delimiter=",", parse=make_path_parser()),
         paths=("mkosi.clean",),
+        recursive_paths=("mkosi.clean.d",),
         help="Clean script to run after cleanup",
     ),
     # Content section
diff --git a/mkosi/resources/man/mkosi.md b/mkosi/resources/man/mkosi.md
index 8c8531061..25b26a75c 100644
--- a/mkosi/resources/man/mkosi.md
+++ b/mkosi/resources/man/mkosi.md
@@ -2156,6 +2156,22 @@ image using `mkosi-chroot` (see below) before executing the script. For
 example, if `mkosi.postinst.chroot` exists, mkosi will chroot into the
 image and execute it as the post-installation script.
 
+Instead of a single file script, mkosi will also read all files in lexicographical order from appropriately
+named `.d` directories, e.g. all files in a `mkosi.build.d` would be used as build scripts. This is supported
+by
+
+* `mkosi.sync.d`,
+* `mkosi.prepare.d`,
+* `mkosi.build.d`,
+* `mkosi.postinst.d`,
+* `mkosi.finalize.d`,
+* `mkosi.postoutput.d`, and
+* `mkosi.clean.d`.
+
+This can be combined with the `.chroot` extension, e.g. `mkosi.build.d/01-foo.sh` would be run without
+chrooting into the image and `mkosi.build.d/02-bar.sh.chroot` would be run after chrooting into the image
+first.
+
 Scripts executed by mkosi receive the following environment variables:
 
 * `$ARCHITECTURE` contains the architecture from the `Architecture=`