diff --git a/.github/scripts/conformance-client.py b/.github/scripts/conformance-client.py
index 34ed29156d..0c44c7ff84 100755
--- a/.github/scripts/conformance-client.py
+++ b/.github/scripts/conformance-client.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 """Conformance client for python-tuf, part of tuf-conformance"""
 
 # Copyright 2024 tuf-conformance contributors
diff --git a/examples/client/client b/examples/client/client
index ed8e266b65..9eaffc2308 100755
--- a/examples/client/client
+++ b/examples/client/client
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 """TUF Client Example"""
 
 # Copyright 2012 - 2017, New York University and the TUF contributors
diff --git a/examples/repository/repo b/examples/repository/repo
index 89ccf37707..1a7389f2a1 100755
--- a/examples/repository/repo
+++ b/examples/repository/repo
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 # Copyright 2021-2022 python-tuf contributors
 # SPDX-License-Identifier: MIT OR Apache-2.0
 
diff --git a/examples/uploader/uploader b/examples/uploader/uploader
index aaf610df6c..8a3ccb8de6 100755
--- a/examples/uploader/uploader
+++ b/examples/uploader/uploader
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 # Copyright 2021-2022 python-tuf contributors
 # SPDX-License-Identifier: MIT OR Apache-2.0
 
diff --git a/pyproject.toml b/pyproject.toml
index 4eac696d2c..57e2669f75 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -81,7 +81,6 @@ ignore = [
     # Rulesets we do not use at this moment
     "COM",
     "EM",
-    "FA",
     "FIX",
     "FBT",
     "PERF",
diff --git a/tests/simple_server.py b/tests/simple_server.py
index 08166736f5..7b6f6096ec 100755
--- a/tests/simple_server.py
+++ b/tests/simple_server.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 # Copyright 2012 - 2017, New York University and the TUF contributors
 # SPDX-License-Identifier: MIT OR Apache-2.0
diff --git a/tests/test_updater_fetch_target.py b/tests/test_updater_fetch_target.py
index 5304843fab..5ab8567032 100644
--- a/tests/test_updater_fetch_target.py
+++ b/tests/test_updater_fetch_target.py
@@ -5,12 +5,13 @@
 target files storing/loading from cache.
 """
 
+from __future__ import annotations
+
 import os
 import sys
 import tempfile
 import unittest
 from dataclasses import dataclass
-from typing import Optional
 
 from tests import utils
 from tests.repository_simulator import RepositorySimulator
@@ -30,7 +31,7 @@ class TestFetchTarget(unittest.TestCase):
     """Test ngclient downloading and caching target files."""
 
     # set dump_dir to trigger repository state dumps
-    dump_dir: Optional[str] = None
+    dump_dir: str | None = None
 
     def setUp(self) -> None:
         self.temp_dir = tempfile.TemporaryDirectory()
diff --git a/tests/test_updater_top_level_update.py b/tests/test_updater_top_level_update.py
index aa626ee056..fb053cb9f0 100644
--- a/tests/test_updater_top_level_update.py
+++ b/tests/test_updater_top_level_update.py
@@ -3,15 +3,16 @@
 
 """Test ngclient Updater top-level metadata update workflow"""
 
+from __future__ import annotations
+
 import builtins
 import datetime
 import os
 import sys
 import tempfile
 import unittest
-from collections.abc import Iterable
 from datetime import timezone
-from typing import Optional
+from typing import TYPE_CHECKING
 from unittest.mock import MagicMock, call, patch
 
 import freezegun
@@ -37,13 +38,16 @@
 )
 from tuf.ngclient import Updater
 
+if TYPE_CHECKING:
+    from collections.abc import Iterable
+
 
 class TestRefresh(unittest.TestCase):
     """Test update of top-level metadata following
     'Detailed client workflow' in the specification."""
 
     # set dump_dir to trigger repository state dumps
-    dump_dir: Optional[str] = None
+    dump_dir: str | None = None
 
     past_datetime = datetime.datetime.now(timezone.utc).replace(
         microsecond=0
@@ -109,7 +113,7 @@ def _assert_files_exist(self, roles: Iterable[str]) -> None:
         self.assertListEqual(sorted(found_files), sorted(expected_files))
 
     def _assert_content_equals(
-        self, role: str, version: Optional[int] = None
+        self, role: str, version: int | None = None
     ) -> None:
         """Assert that local file content is the expected"""
         expected_content = self.sim.fetch_metadata(role, version)
diff --git a/tuf/api/serialization/json.py b/tuf/api/serialization/json.py
index dcff79e029..f311907149 100644
--- a/tuf/api/serialization/json.py
+++ b/tuf/api/serialization/json.py
@@ -11,8 +11,9 @@
 # We should not have shadowed stdlib json but that milk spilled already
 # ruff: noqa: A005
 
+from __future__ import annotations
+
 import json
-from typing import Optional
 
 from securesystemslib.formats import encode_canonical
 
@@ -56,7 +57,7 @@ class JSONSerializer(MetadataSerializer):
 
     """
 
-    def __init__(self, compact: bool = False, validate: Optional[bool] = False):
+    def __init__(self, compact: bool = False, validate: bool | None = False):
         self.compact = compact
         self.validate = validate
 
diff --git a/tuf/ngclient/config.py b/tuf/ngclient/config.py
index 357b26b025..82eed82715 100644
--- a/tuf/ngclient/config.py
+++ b/tuf/ngclient/config.py
@@ -3,9 +3,10 @@
 
 """Configuration options for ``Updater`` class."""
 
+from __future__ import annotations
+
 from dataclasses import dataclass
 from enum import Flag, unique
-from typing import Optional
 
 
 @unique
@@ -52,4 +53,4 @@ class UpdaterConfig:
     targets_max_length: int = 5000000  # bytes
     prefix_targets_with_hash: bool = True
     envelope_type: EnvelopeType = EnvelopeType.METADATA
-    app_user_agent: Optional[str] = None
+    app_user_agent: str | None = None
diff --git a/verify_release b/verify_release
index 549b7bab84..8ec46806c1 100755
--- a/verify_release
+++ b/verify_release
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 # Copyright 2022, TUF contributors
 # SPDX-License-Identifier: MIT OR Apache-2.0
@@ -9,6 +9,8 @@ Builds a release from current commit and verifies that the release artifacts
 on GitHub and PyPI match the built release artifacts.
 """
 
+from __future__ import annotations
+
 import argparse
 import json
 import os
@@ -16,7 +18,6 @@ import subprocess
 import sys
 from filecmp import cmp
 from tempfile import TemporaryDirectory
-from typing import Optional
 
 try:
     import build as _  # type: ignore[import-not-found] # noqa: F401
@@ -148,7 +149,7 @@ def verify_pypi_release(version: str, compare_dir: str) -> bool:
 
 
 def sign_release_artifacts(
-    version: str, build_dir: str, key_id: Optional[str] = None
+    version: str, build_dir: str, key_id: str | None = None
 ) -> None:
     """Sign built release artifacts with gpg and write signature files to cwd"""
     sdist = f"{PYPI_PROJECT}-{version}.tar.gz"