I’m requesting packaging for tpm2-totp, a tool that enables Time-based One-Time Passwords (TOTP) using a TPM 2.0 device. This package integrates with dracut and plymouth to allow secure "remote attestation" during early boot, based on TPM-measured system state. This package is part of the broader tpm2-software stack already available in Fedora (including tpm2-tools, tpm2-tss, etc.). I have prepared a working SPEC file and source RPM (SRPM) that build cleanly and pass Fedora packaging guidelines. While I’m not volunteering to maintain this package long-term, I’d appreciate if the existing TPM2 maintainers or other interested parties could consider taking it on. Links to individual files: spec: https://raw.githubusercontent.com/matteriben/fedora-tpm2-totp/refs/heads/main/SPECS/tpm2-totp.spec patch: https://raw.githubusercontent.com/matteriben/fedora-tpm2-totp/refs/heads/main/SOURCES/0001-install-module-always.patch src.rpm: https://github.com/matteriben/fedora-tpm2-totp/raw/refs/heads/main/SRPMS/tpm2-totp-0.3.0-1.fc42.src.rpm fedora-review: https://raw.githubusercontent.com/matteriben/fedora-tpm2-totp/refs/heads/main/fedora-review.txt Links to copr: copr: https://copr.fedorainfracloud.org/coprs/matteriben/tpm2-totp build: https://download.copr.fedorainfracloud.org/results/matteriben/tpm2-totp/fedora-42-x86_64/09457152-tpm2-totp Screenshots: generate: https://raw.githubusercontent.com/matteriben/fedora-tpm2-totp/refs/heads/main/images/generate.png attestation: https://raw.githubusercontent.com/matteriben/fedora-tpm2-totp/refs/heads/main/images/attestation.png github: https://github.com/matteriben/fedora-tpm2-totp
The ticket summary is not in the correct format. Expected: Review Request: <main package name here> - <short summary here> Found: Review Request: tpm2-totp – Device attestation using TPM2 and TOTP As a consequence, the package name cannot be parsed and submitted to be automatically build. Please modify the ticket summary and trigger a build by typing [fedora-review-service-build]. --- This comment was created by the fedora-review-service https://github.com/FrostyX/fedora-review-service If you want to trigger a new Copr build, add a comment containing new Spec and SRPM URLs or [fedora-review-service-build] string.
links should be to files that can be downloaded with curl/wget spec: https://raw.githubusercontent.com/matteriben/fedora-tpm2-totp/refs/heads/main/SPECS/tpm2-totp.spec srpm: https://github.com/matteriben/fedora-tpm2-totp/raw/refs/heads/main/SRPMS/tpm2-totp-0.3.0-1.fc42.src.rpm
(In reply to Benson Muite from comment #2) > links should be to files that can be downloaded with curl/wget Thank you for the feedback, I updated the links in the description.
Issues: - When verifying source signatures, the packaging guidelines say that it MUST be done using the `%{gpgverify}` macro. The current version uses the gpg command directly and does not include the `BuildRequires: gpgverify` line. See: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures - The package includes both the `tpm2-totp` application and the `libtpm2-totp.so` library. Packaging guidelines state that they SHOULD be packaged in subpackages. While it is a non-blocker, consider doing so. See: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_mixed_use_packages - Changelog entry uses placeholder name and E-Mail address. - Patch is missing justification comment or link to upstream bug/comments/lists. Package Review ============== Legend: [x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated ===== MUST items ===== C/C++: [x]: Package does not contain kernel modules. [x]: If your application is a C or C++ application you must list a BuildRequires against gcc, gcc-c++ or clang. [x]: Header files in -devel subpackage, if present. [x]: ldconfig not called in %post and %postun for Fedora 28 and later. [x]: Package does not contain any libtool archives (.la) [x]: Package contains no static executables. [x]: Rpath absent or only used for internal libs. [x]: Development (unversioned) .so files in -devel subpackage, if present. Generic: [x]: Package is licensed with an open-source compatible license and meets other legal requirements as defined in the legal section of Packaging Guidelines. [x]: License field in the package spec file matches the actual license. [x]: License file installed when any subpackage combination is installed. [x]: %build honors applicable compiler flags or justifies otherwise. NOTE: Uses --disable-static %configure flag to adhere to the "Package contains no static executables." rule. [x]: Package contains no bundled libraries without FPC exception. [x]: Changelog in prescribed format. NOTE: It is in prescribed format, but the provided name and email for the initial RPM package is a placeholder and not the real one. [x]: Sources contain only permissible code or content. [-]: Package contains desktop file if it is a GUI application. [x]: Development files must be in a -devel package [x]: Package uses nothing in %doc for runtime. [x]: Package consistently uses macros (instead of hard-coded directory names). [x]: Package is named according to the Package Naming Guidelines. [x]: Package does not generate any conflict. [x]: Package obeys FHS, except libexecdir and /usr/target. [-]: If the package is a rename of another package, proper Obsoletes and Provides are present. [!]: Requires correct, justified where necessary. NOTE: Missing `BuildRequires: gpgverify`, related to other issue. [x]: Spec file is legible and written in American English. [-]: Package contains systemd file(s) if in need. [x]: Useful -debuginfo package or justification otherwise. [x]: Package is not known to require an ExcludeArch tag. [-]: Large documentation must go in a -doc subpackage. Large could be size (~1MB) or number of files. Note: Documentation size is 12491 bytes in 6 files. [!]: Package complies to the Packaging Guidelines NOTE: See other entries with [!]. [x]: Package successfully compiles and builds into binary rpms on at least one supported primary architecture. [x]: Package installs properly. [x]: Rpmlint is run on all rpms the build produces. Note: No rpmlint messages. [x]: If (and only if) the source package includes the text of the license(s) in its own file, then that file, containing the text of the license(s) for the package is included in %license. [x]: The License field must be a valid SPDX expression. [x]: Package requires other packages for directories it uses. [x]: Package must own all directories that it creates. [x]: Package does not own files or directories owned by other packages. [x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT [x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the beginning of %install. [x]: Macros in Summary, %description expandable at SRPM build time. [x]: Dist tag is present. [x]: Package does not contain duplicates in %files. [x]: Permissions on files are set properly. [x]: Package must not depend on deprecated() packages. [x]: Package use %makeinstall only when make install DESTDIR=... doesn't work. [x]: Package is named using only allowed ASCII characters. [x]: Package does not use a name that already exists. [x]: Package is not relocatable. [x]: Sources used to build the package match the upstream source, as provided in the spec URL. [x]: Spec file name must match the spec package %{name}, in the format %{name}.spec. [x]: File names are valid UTF-8. [x]: Packages must not store files under /srv, /opt or /usr/local [!]: Sources are verified with gpgverify first in %prep if upstream publishes signatures. NOTE: Package guidelines say that sources MUST be verified with the %{gpgverify} macro. See: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures ===== SHOULD items ===== Generic: [-]: If the source package does not include license text(s) as a separate file from upstream, the packager SHOULD query upstream to include it. [!]: Final provides and requires are sane (see attachments). NOTE: Missing `BuildRequires: gpgverify` for source verification. [x]: Fully versioned dependency in subpackages if applicable. [x]: Package functions as described. [x]: Latest version is packaged. [x]: Package does not include license text files separate from upstream. [!]: Patches link to upstream bugs/comments/lists or are otherwise justified. NOTE: Missing justification comment or link to upstream bug/comments/lists. [?]: Package should compile and build into binary rpms on all supported architectures. [x]: %check is present and all tests pass. [x]: Packages should try to preserve timestamps of original installed files. [x]: Reviewer should test that the package builds in mock. [x]: Buildroot is not present [x]: Package has no %clean section with rm -rf %{buildroot} (or $RPM_BUILD_ROOT) [x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin. [x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file [x]: Uses parallel make %{?_smp_mflags} macro. [x]: The placement of pkgconfig(.pc) files are correct. [x]: Sources can be downloaded from URI in Source: tag [x]: SourceX is a working URL. [x]: Spec use %global instead of %define unless justified. ===== EXTRA items ===== Generic: [x]: Rpmlint is run on debuginfo package(s). Note: No rpmlint messages. [x]: Rpmlint is run on all installed packages. Note: No rpmlint messages. [x]: Large data in /usr/share should live in a noarch subpackage if package is arched. [x]: Package should not use obsolete m4 macros [x]: Spec file according to URL is the same as in SRPM. Rpmlint ------- Checking: tpm2-totp-0.3.0-1.fc44.x86_64.rpm tpm2-totp-devel-0.3.0-1.fc44.x86_64.rpm tpm2-totp-0.3.0-1.fc44.src.rpm ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmp4k4ytotj')] checks: 32, packages: 3 3 packages and 0 specfiles checked; 0 errors, 0 warnings, 20 filtered, 0 badness; has taken 0.3 s Rpmlint (debuginfo) ------------------- Checking: tpm2-totp-debuginfo-0.3.0-1.fc44.x86_64.rpm ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml rpmlintrc: [PosixPath('/tmp/tmpdyd6fpk2')] checks: 32, packages: 1 1 packages and 0 specfiles checked; 0 errors, 0 warnings, 14 filtered, 0 badness; has taken 0.1 s Rpmlint (installed packages) ---------------------------- ============================ rpmlint session starts ============================ rpmlint: 2.8.0 configuration: /usr/lib/python3.14/site-packages/rpmlint/configdefaults.toml /etc/xdg/rpmlint/fedora-spdx-licenses.toml /etc/xdg/rpmlint/fedora.toml /etc/xdg/rpmlint/scoring.toml /etc/xdg/rpmlint/users-groups.toml /etc/xdg/rpmlint/warn-on-functions.toml checks: 32, packages: 3 3 packages and 0 specfiles checked; 0 errors, 0 warnings, 30 filtered, 0 badness; has taken 0.6 s Source checksums ---------------- https://github.com/tpm2-software/tpm2-totp/releases/download/v0.3.0/tpm2-totp-0.3.0.tar.gz : CHECKSUM(SHA256) this package : 1a8c83dc0d0dc58bd85a3fbfc9da6e39414c0d33f1a19886cde20f063f0c527b CHECKSUM(SHA256) upstream package : 1a8c83dc0d0dc58bd85a3fbfc9da6e39414c0d33f1a19886cde20f063f0c527b https://github.com/tpm2-software/tpm2-totp/releases/download/v0.3.0/tpm2-totp-0.3.0.tar.gz.asc : CHECKSUM(SHA256) this package : ad4db8629e140ffbedaf87db6cf26bfa94da65eebbca7257e0be99ef469a4e37 CHECKSUM(SHA256) upstream package : ad4db8629e140ffbedaf87db6cf26bfa94da65eebbca7257e0be99ef469a4e37 https://keys.openpgp.org/vks/v1/by-fingerprint/FE2E6249201CA54A4FB90D066E80CA1446879D04 : CHECKSUM(SHA256) this package : bc267adae61e46f86f93c8bbf7a98bc431cdd3e3c1f0131687938c70c361413d CHECKSUM(SHA256) upstream package : bc267adae61e46f86f93c8bbf7a98bc431cdd3e3c1f0131687938c70c361413d Requires -------- tpm2-totp (rpmlib, GLIBC filtered): /bin/bash /bin/sh dracut libc.so.6()(64bit) libply-boot-client.so.5()(64bit) libply.so.5()(64bit) libqrencode.so.4()(64bit) libtpm2-totp.so.0()(64bit) libtss2-esys.so.0()(64bit) libtss2-mu.so.0()(64bit) libtss2-rc.so.0()(64bit) libtss2-tctildr.so.0()(64bit) qrencode rtld(GNU_HASH) tpm2-tools tpm2-totp-devel (rpmlib, GLIBC filtered): /usr/bin/pkg-config libtpm2-totp.so.0()(64bit) pkgconfig(tss2-esys) pkgconfig(tss2-mu) tpm2-totp(x86-64) Provides -------- tpm2-totp: libtpm2-totp.so.0()(64bit) tpm2-totp tpm2-totp(x86-64) tpm2-totp-devel: pkgconfig(tpm2-totp) tpm2-totp-devel tpm2-totp-devel(x86-64) Generated by fedora-review 0.10.0 (e79b66b) last change: 2023-07-24 Command line :/usr/bin/fedora-review -b 2389097 Buildroot used: fedora-rawhide-x86_64 Active plugins: Generic, C/C++, Shell-api Disabled plugins: fonts, Haskell, Perl, PHP, R, Python, SugarActivity, Ocaml, Java Disabled flags: EXARCH, EPEL6, EPEL7, DISTTAG, BATCH
@fvorobev thanks for the proxy review. > [!]: Sources are verified with gpgverify first in %prep if upstream > publishes signatures. > NOTE: Package guidelines say that sources MUST be verified with > the %{gpgverify} macro. > See: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures Yes, probably better to use the %gpgverify macro and IMHO it needs to be build required in any case. > [?]: Package should compile and build into binary rpms on all supported > architectures. Tested on koji (which IMHO non packagers cannot use) and it builds OK on all supported arches. > [!]: Patches link to upstream bugs/comments/lists or are otherwise > justified. > NOTE: Missing justification comment or link to upstream bug/comments/lists. Yes, justification of the patch ant link to the upstream tracker would be useful here. Also mostly cosmetic: > %files devel I think it would be more legible to put it near the global %files section (i.e. after the %build and %install section). > make %{?_smp_mflags} Better to use the %make_build macro especially if you already use the %make_install macro later: %make_build > * Fri Aug 15 2025 You <you> - 0.3.0-1 You should use the real nick and email or use %autochangelog. @fvorobev I expect you to self-assign this bug and continue with the review / re-review once you become the fedora packager.
> - Patch is missing justification comment or link to upstream bug/comments/lists. IIRC under Fedora Atomic Desktop the patch was necessary to install the package with dracut via `rpm-ostree initramfs --enable`.