diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index ce4638c27..273dcaad3 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -369,7 +369,7 @@ def mount_build_overlay(context: Context, volatile: bool = False) -> Iterator[Pa
 
 @contextlib.contextmanager
 def finalize_scripts(config: Config, scripts: Mapping[str, Sequence[PathString]]) -> Iterator[Path]:
-    with tempfile.TemporaryDirectory(prefix="mkosi-scripts") as d:
+    with tempfile.TemporaryDirectory(prefix="mkosi-scripts-") as d:
         # Make sure than when mkosi-as-caller is used the scripts can still be accessed.
         os.chmod(d, 0o755)
 
@@ -3572,7 +3572,7 @@ def normalize_mtime(root: Path, mtime: Optional[int], directory: Optional[Path]
 @contextlib.contextmanager
 def setup_workspace(args: Args, config: Config) -> Iterator[Path]:
     with contextlib.ExitStack() as stack:
-        workspace = Path(tempfile.mkdtemp(dir=config.workspace_dir_or_default(), prefix="mkosi-workspace"))
+        workspace = Path(tempfile.mkdtemp(dir=config.workspace_dir_or_default(), prefix="mkosi-workspace-"))
         # Discard setuid/setgid bits as these are inherited and can leak into the image.
         workspace.chmod(stat.S_IMODE(workspace.stat().st_mode) & ~(stat.S_ISGID|stat.S_ISUID))
         stack.callback(lambda: rmtree(workspace, sandbox=config.sandbox))
@@ -4173,7 +4173,7 @@ def prepend_to_environ_path(config: Config) -> Iterator[None]:
         yield
         return
 
-    with tempfile.TemporaryDirectory(prefix="mkosi.path") as d:
+    with tempfile.TemporaryDirectory(prefix="mkosi.path-") as d:
 
         for path in config.extra_search_paths:
             if not path.is_dir():
diff --git a/mkosi/qemu.py b/mkosi/qemu.py
index 0757100ee..374d507f0 100644
--- a/mkosi/qemu.py
+++ b/mkosi/qemu.py
@@ -252,7 +252,7 @@ def find_ovmf_firmware(config: Config, firmware: QemuFirmware) -> Optional[OvmfC
 
 @contextlib.contextmanager
 def start_swtpm(config: Config) -> Iterator[Path]:
-    with tempfile.TemporaryDirectory(prefix="mkosi-swtpm") as state:
+    with tempfile.TemporaryDirectory(prefix="mkosi-swtpm-") as state:
         # swtpm_setup is noisy and doesn't have a --quiet option so we pipe it's stdout to /dev/null.
         run(
             ["swtpm_setup", "--tpm-state", state, "--tpm2", "--pcr-banks", "sha256", "--config", "/dev/null"],
@@ -329,7 +329,7 @@ def start_virtiofsd(config: Config, directory: PathString, *, name: str, selinux
     # We create the socket ourselves and pass the fd to virtiofsd to avoid race conditions where we start qemu
     # before virtiofsd has had the chance to create the socket (or where we try to chown it first).
     with (
-        tempfile.TemporaryDirectory(prefix="mkosi-virtiofsd") as context,
+        tempfile.TemporaryDirectory(prefix="mkosi-virtiofsd-") as context,
         socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as sock,
     ):
         # Make sure virtiofsd can access the socket in this directory.
@@ -449,7 +449,7 @@ def start_journal_remote(config: Config, sockfd: int) -> Iterator[None]:
         run(["chattr", "+C", d], check=False, stderr=subprocess.DEVNULL if not ARG_DEBUG.get() else None)
         INVOKING_USER.chown(d)
 
-    with tempfile.NamedTemporaryFile(mode="w", prefix="mkosi-journal-remote-config") as f:
+    with tempfile.NamedTemporaryFile(mode="w", prefix="mkosi-journal-remote-config-") as f:
         # Make sure we capture all the logs by bumping the limits. We set MaxFileSize=4G because with the compact mode
         # enabled the files cannot grow any larger anyway.
         f.write(
@@ -563,7 +563,7 @@ def want_scratch(config: Config) -> bool:
 
 @contextlib.contextmanager
 def generate_scratch_fs(config: Config) -> Iterator[Path]:
-    with tempfile.NamedTemporaryFile(dir="/var/tmp", prefix="mkosi-scratch") as scratch:
+    with tempfile.NamedTemporaryFile(dir="/var/tmp", prefix="mkosi-scratch-") as scratch:
         scratch.truncate(1024**4)
         fs = config.distribution.filesystem()
         extra = config.environment.get(f"SYSTEMD_REPART_MKFS_OPTIONS_{fs.upper()}", "")
@@ -595,7 +595,7 @@ def finalize_qemu_firmware(config: Config, kernel: Optional[Path]) -> QemuFirmwa
 
 
 def finalize_firmware_variables(config: Config, ovmf: OvmfConfig, stack: contextlib.ExitStack) -> tuple[Path, str]:
-    ovmf_vars = stack.enter_context(tempfile.NamedTemporaryFile(prefix="mkosi-ovmf-vars"))
+    ovmf_vars = stack.enter_context(tempfile.NamedTemporaryFile(prefix="mkosi-ovmf-vars-"))
     if config.qemu_firmware_variables in (None, Path("custom"), Path("microsoft")):
         ovmf_vars_format = ovmf.vars_format
     else:
@@ -1100,7 +1100,7 @@ def add_virtiofs_mount(
             if config.architecture.supports_smbios(firmware):
                 cmdline += ["-smbios", f"type=11,value=io.systemd.credential.binary:{k}={payload}"]
             elif config.architecture.supports_fw_cfg():
-                f = stack.enter_context(tempfile.NamedTemporaryFile(prefix="mkosi-fw-cfg", mode="w"))
+                f = stack.enter_context(tempfile.NamedTemporaryFile(prefix="mkosi-fw-cfg-", mode="w"))
                 f.write(v)
                 f.flush()
                 cmdline += ["-fw_cfg", f"name=opt/io.systemd.credentials/{k},file={f.name}"]
diff --git a/mkosi/user.py b/mkosi/user.py
index e94958504..2d2dbfec9 100644
--- a/mkosi/user.py
+++ b/mkosi/user.py
@@ -156,7 +156,7 @@ def become_root() -> None:
 
     pid = os.getpid()
 
-    with tempfile.NamedTemporaryFile(prefix="mkosi-uidmap-lock") as lockfile:
+    with tempfile.NamedTemporaryFile(prefix="mkosi-uidmap-lock-") as lockfile:
         lock = Path(lockfile.name)
 
         # We map the private UID range configured in /etc/subuid and /etc/subgid into the container using