%define totpcgiuser totpcgi %define totpcgiprovuser totpcgiprov Name: totpcgi Version: 0.7.1 Release: 2%{?dist} Summary: A centralized totp solution based on google-authenticator License: GPLv2+ URL: https://github.com/mricon/totp-cgi Source0: https://github.com/mricon/totp-cgi/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz BuildArch: noarch BuildRequires: python3-devel BuildRequires: pyproject-rpm-macros Requires: httpd, mod_ssl Requires: python3-totpcgi = %{version}-%{release} %description A CGI/FCGI application to centralize google-authenticator deployments. %package -n python3-totpcgi Summary: Python libraries required for totpcgi # pycryptodome is only needed by the encrypted-secret feature. Sites that # enable that feature must install python3-pycryptodome themselves (from a # copr or pip wheel) — EL10 / EPEL 10 does not currently package it. Requires: python3-bcrypt, python3-pyotp, python3-passlib Obsoletes: python-totpcgi < %{version}-%{release} Provides: python-totpcgi = %{version}-%{release} %description -n python3-totpcgi This package includes the Python libraries required for totpcgi and totpcgi-provisioning. %package provisioning Summary: CGI for Google Authenticator provisioning using totpcgi Requires: python3-totpcgi = %{version}-%{release} Requires: httpd, mod_ssl, python3-qrcode %description provisioning This package provides the CGI for provisioning Google Authenticator tokens used by totpcgi. %prep %autosetup -n totp-cgi-%{version} %generate_buildrequires %pyproject_buildrequires %build %pyproject_wheel %install %pyproject_install %pyproject_save_files totpcgi # Install config files mkdir -p -m 0750 %{buildroot}%{_sysconfdir}/totpcgi mkdir -p -m 0750 \ %{buildroot}%{_sysconfdir}/totpcgi/totp \ %{buildroot}%{_sysconfdir}/totpcgi/templates install -m 0640 conf/*.conf %{buildroot}%{_sysconfdir}/totpcgi/ install -m 0640 conf/templates/*.html %{buildroot}%{_sysconfdir}/totpcgi/templates/ # Create the state directory mkdir -p -m 0770 %{buildroot}%{_localstatedir}/lib/totpcgi # Create the CGI dirs mkdir -p -m 0751 \ %{buildroot}%{_localstatedir}/www/totpcgi \ %{buildroot}%{_localstatedir}/www/totpcgi-provisioning # Install the web files install -m 0550 cgi/totp.cgi \ %{buildroot}%{_localstatedir}/www/totpcgi/index.cgi install -m 0550 cgi/provisioning.cgi \ %{buildroot}%{_localstatedir}/www/totpcgi-provisioning/index.cgi install -m 0644 cgi/*.css \ %{buildroot}%{_localstatedir}/www/totpcgi-provisioning/ # Install the httpd config files mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/httpd/conf.d install -m 0644 contrib/vhost-totpcgi.conf \ %{buildroot}%{_sysconfdir}/httpd/conf.d/totpcgi.conf install -m 0644 contrib/vhost-totpcgi-provisioning.conf \ %{buildroot}%{_sysconfdir}/httpd/conf.d/totpcgi-provisioning.conf # Install totpprov script and manpage mkdir -p -m 0755 %{buildroot}%{_bindir} install -m 0755 contrib/totpprov.py %{buildroot}%{_bindir}/totpprov mkdir -p -m 0755 %{buildroot}%{_mandir}/man1 install -m 0644 contrib/totpprov.1 %{buildroot}%{_mandir}/man1/ # No %check: test.py's __main__ unconditionally creates an encrypted-secret # user fixture, which calls totpcgi.utils.encrypt_secret() and requires # pycryptodome. That fixture setup blows up on a stock EL10 chroot before # any test method runs. Re-enabling %check needs an upstream change in # test.py to skip the encrypted-secret fixture + test when pycryptodome is # not importable. %pre -n python3-totpcgi # We always add both the totpcgi and totpcgi-provisioning user /usr/sbin/useradd -c "Totpcgi user" \ -M -s /sbin/nologin -d /var/lib/totpcgi %{totpcgiuser} 2> /dev/null || : /usr/sbin/useradd -c "Totpcgi provisioning user" \ -M -s /sbin/nologin -d /etc/totpcgi %{totpcgiprovuser} 2> /dev/null || : %post provisioning # make sure /var/lib/totpcgi is 0770 totpcgiprov:totpcgi chown -R %{totpcgiprovuser}:%{totpcgiuser} %{_localstatedir}/lib/totpcgi || : chmod 0770 %{_localstatedir}/lib/totpcgi || : # make sure state files are accessible to provisioning chmod 0660 %{_localstatedir}/lib/totpcgi/*.json >/dev/null 2>&1 || : %files %doc README.rst INSTALL.rst %doc contrib %doc cgi/totp.fcgi %dir %attr(-, %{totpcgiuser}, %{totpcgiuser}) %{_localstatedir}/www/totpcgi %attr(-, %{totpcgiuser}, %{totpcgiuser}) %{_localstatedir}/www/totpcgi/*.cgi %config(noreplace) %attr(-, -, %{totpcgiuser}) %{_sysconfdir}/totpcgi/totpcgi.conf %config(noreplace) %{_sysconfdir}/httpd/conf.d/totpcgi.conf %attr(-, %{totpcgiprovuser}, %{totpcgiuser}) %{_localstatedir}/lib/totpcgi %files -n python3-totpcgi -f %{pyproject_files} %doc COPYING %dir %attr(-, %{totpcgiprovuser}, %{totpcgiuser}) %{_sysconfdir}/totpcgi %dir %attr(-, %{totpcgiprovuser}, %{totpcgiuser}) %{_sysconfdir}/totpcgi/totp %config(noreplace) %attr(-, -, %{totpcgiprovuser}) %{_sysconfdir}/totpcgi/provisioning.conf %{_bindir}/totpprov %{_mandir}/man1/totpprov.1* %files provisioning %dir %attr(-, %{totpcgiprovuser}, %{totpcgiprovuser}) %{_localstatedir}/www/totpcgi-provisioning %attr(-, %{totpcgiprovuser}, %{totpcgiprovuser}) %{_localstatedir}/www/totpcgi-provisioning/*.cgi %config(noreplace) %{_localstatedir}/www/totpcgi-provisioning/*.css %config(noreplace) %{_sysconfdir}/httpd/conf.d/totpcgi-provisioning.conf %dir %attr(-, -, %{totpcgiprovuser}) %{_sysconfdir}/totpcgi/templates %config(noreplace) %attr(-, -, %{totpcgiprovuser}) %{_sysconfdir}/totpcgi/templates/*.html %changelog * Fri May 15 2026 Konstantin Ryabitsev - 0.7.1-2 - Rename the python library subpackage from python-totpcgi to python3-totpcgi to match current Fedora Python packaging guidelines. Add Obsoletes/Provides on the old name so existing installs upgrade cleanly. Update internal Requires in totpcgi and totpcgi-provisioning to reference the new name. * Fri May 15 2026 Konstantin Ryabitsev - 0.7.1-1 - Update to upstream 0.7.1: pycryptodome is now an optional runtime dependency, needed only when the encrypted-secret feature is enabled. Drop python3-pycryptodome from Requires; it remains an optional install for sites using that feature. - %%check stays disabled for now: test.py's __main__ unconditionally builds an encrypted-secret fixture and so still requires pycryptodome at run time. Re-enabling needs an upstream skip-guard in test.py. * Fri May 15 2026 Konstantin Ryabitsev - 0.7.0-2 - Modernize spec to current Fedora Python packaging guidelines: - Replace the legacy %%py3_build / %%py3_install macros with pyproject macros (%%pyproject_wheel, %%pyproject_install, %%pyproject_save_files). - Use %%pyproject_buildrequires -N to pull build-system requires only; python3-pycryptodome is not in EL10 / EPEL 10 and would otherwise block the build. Runtime requires are still asserted on the binary RPM via %%pyproject_save_files, so installers see the missing dep at install time and can source it from a copr of their choice. - Point Source0 at the github archive URL for the signed tag, and use %%autosetup -n totp-cgi-%%{version} to handle github's directory naming. - Replace the %%{_bindir}/* and %%{_mandir}/*/* file globs with explicit paths to /usr/bin/totpprov and totpprov.1 to satisfy rpmlint. * Fri May 15 2026 Konstantin Ryabitsev - 0.7.0-1 - Update to upstream 0.7.0: - Drops Python 2 compatibility code and fixes latent post-py3-port bugs (ConfigParser.X references, py2 octal literals, except E,x syntax, unicode() calls) that prevented several modules from importing. - Migrates packaging to setuptools + pyproject.toml; distutils removal in Python 3.12 had made the old setup.py unbuildable. - Replaces the passlib bcrypt code path with direct calls to the bcrypt library, since passlib 1.7.4 is unmaintained and its self-check is incompatible with bcrypt >= 4.1's strict 72-byte limit. - Project is now flagged as on life support; see README.rst for details and pointers to modern alternatives. - Fix Requires: switch python3-cryptography to python3-pycryptodome, since the code imports from the Crypto.* namespace provided by pycryptodome, not the cryptography.* namespace. * Fri May 15 2026 Konstantin Ryabitsev - 0.6-0.pre.1 - Modernize spec for EL10/AlmaLinux 10: drop Python 2 support, switch to python3 macros and dependencies. - Drop the selinux subpackage and all related SELinux build/install/scriptlet machinery; rely on the distro's base policy instead. * Thu May 22 2014 Konstantin Ryabitsev - 0.6.0-0.pre.1 - New pre 0.6 * Fri Sep 20 2013 Konstantin Ryabitsev - 0.5.5-1 - New version 0.5.5 with new features * Mon Dec 03 2012 Konstantin Ryabitsev - 0.5.4-1 - Make sure provisioning pages are not cached. - Minor documentation fixes. * Wed Nov 28 2012 Konstantin Ryabitsev - 0.5.3-2 - Minor fixes for fedora-review (RHBZ #880863) * Tue Nov 27 2012 Konstantin Ryabitsev - 0.5.3-1 - Release 0.5.3 with minor fixes. * Mon Nov 26 2012 Andrew Grimberg - 0.5.2-2 - Move the user adds for totpcgi & totpcgiprov to python-totpcgi package * Mon Nov 19 2012 Konstantin Ryabitsev - 0.5.2-1 - Release 0.5.2 with a fix for a potential replay attack in case the pincode was submitted with a typo (issue #12) * Fri Jun 29 2012 Konstantin Ryabitsev - 0.5.1-1 - Release 0.5.1 with trust_http_auth functionality. * Wed May 30 2012 Andrew Grimberg - 0.5.0-2 - Reorder the package dependencies slightly - Add in post scripts for totpcgi & totpcgi-provisioning for SE labeling * Wed May 30 2012 Konstantin Ryabitsev - 0.5.0-2 - Use a manual fixfiles list, as we have more than one package * Thu May 24 2012 Konstantin Ryabitsev - 0.5.0-1 - Split into more packages: totpcgi, python-totpcgi, totpcgi-provisioning, totpcgi-selinux * Tue May 08 2012 Konstantin Ryabitsev - 0.4.0-1 - Update to 0.4.0, which adds encrypted-secret functionality. - Require python-crypto and python-passlib * Fri May 04 2012 Konstantin Ryabitsev - 0.3.1-3 - Package SELinux using Fedora's guidelines. - Add contrib dir in its entirety. - Use config(noreplace). * Tue May 01 2012 Andrew Grimberg - 0.3.1-2 - Exceptions on bad passwords to LDAP - Config for CA cert to use for verification - PostgreSQL pincode & secrets backends * Thu Apr 12 2012 Andrew Grimberg - 0.3.0-1 - Bump version number - Split backend system * Wed Apr 11 2012 Andrew Grimberg - 0.2.0-4 - Add in pincode.py script * Mon Mar 26 2012 Andrew Grimberg - 0.2.0-3 - Fix path perms for /var/www/totpcgi so that apache can chdir - Reduce perms on /var/www/totpcgi/totp.cgi to bare minimum * Fri Mar 23 2012 Konstantin Ryabitsev - 0.2.0-2 - Update to better match Fedora's spec standards. * Wed Mar 21 2012 Andrew Grimberg - 0.2.0-1 - Initial spec file creation and packaging