====== Software Packages ======
Datraverse offers a ready-made installation binary and a comprehensive User Manual for download. [[Roles#Resident|Residents]] receive a Member Card from their [[Roles#Partner|Deployment Partner]]. The Card is their token as resident of the SavaPage Community and is to be imported into the SavaPage application to confirm their status.
The application allows for a 40-days period for [[Roles#Visitor|Visitors]] to decide whether to join the Community as Resident or not. Although any Visitor is encouraged to join as Resident, organizations up till 5 participants are allowed a permanent visitor status. All visitors get best-effort support directly from Datraverse. Residents can purchase support from their [[Roles#Partner|Deployment Partner]].
----
** For all available packages, visit the [[https://www.savapage.org/download/|SavaPage download page]]. **
----
[[savapage:known-issues|Known Issues]]
==== SavaPage 1.5.0-rc ====
//Rolling Release Candidate 2024-04-20//
This is a **stable** version, with improvements and new functions. \\
Please **read** the [[release_notes:release_notes_1.5.0|Release Notes]] : //a database upgrade might be needed.//
^ Distribution ^ Size ^
| [[https://www.savapage.org/download/snapshots/savapage-setup-1.5.0-rc-linux-x64.bin|SavaPage 1.5.0-rc • 64-bit]] | 109 MB |
| [[https://www.savapage.org/download/snapshots/savapage-manual-1.5.0-rc-A4.pdf| SavaPage 1.5.0-rc • User Manual • PDF]] | 10.6 MB |
| [[https://www.savapage.org/docs/manual|SavaPage 1.5.0-rc • Online Manual]] ||
[[https://www.gnu.org/licenses/agpl.html|{{:wiki:agpl.png|GNU Affero General Public License}}]] \\
Software is licensed under [[https://www.gnu.org/licenses/agpl.html|GNU Affero General Public License (AGPL)]] version 3 or any later version in compliance with
[[https://www.savapage.org/docs/licenses/|Third Party Software Component Licenses]].
[[https://creativecommons.org/licenses/by-sa/4.0/|{{wiki:cc-by-sa-4-0-88x31.png|CC BY-SA 4.0}}]] \\
User Manual is licensed under a [[https://creativecommons.org/licenses/by-sa/4.0/|Creative Commons Attribution-ShareAlike 4.0 International License]]
==== SavaPage 1.4.0-final ====
Build 20220819: August 19, 2022 \\
Please **read** the [[release_notes:release_notes_1.4.0|Release Notes]] : //a database upgrade might be needed.//
=== SavaPage Installer ===
[[https://www.gnu.org/licenses/agpl.html|{{:wiki:agpl.png|GNU Affero General Public License}}]] \\
Distribution is licensed under [[https://www.gnu.org/licenses/agpl.html|GNU Affero General Public License (AGPL)]] version 3 or any later version in compliance with
[[https://www.savapage.org/docs/licenses/|Third Party Software Component Licenses]].
^ Distribution ^ Size ^
| [[https://www.savapage.org/download/installer/savapage-setup-1.4.0-final-linux-x64.bin|SavaPage 1.4.0-final • 64-bit]] | 108.7 MB |
=== User Manual ===
[[https://creativecommons.org/licenses/by-sa/4.0/|{{wiki:cc-by-sa-4-0-88x31.png|CC BY-SA 4.0}}]] \\
User Manual is licensed under a [[https://creativecommons.org/licenses/by-sa/4.0/|Creative Commons Attribution-ShareAlike 4.0 International License]]
^ User Manual ^ Size ^
| [[https://www.savapage.org/download/manual/savapage-manual-1.4.0-A4.pdf|SavaPage 1.4.0 • PDF • A4]] | 10.5 MB |
| [[https://www.savapage.org/download/manual/savapage-manual-1.4.0.pdf|SavaPage 1.4.0 • PDF • Letter]] | 10.5 MB |
| [[https://www.savapage.org/download/manual/savapage-manual-1.4.0.epub|SavaPage 1.4.0 • EPUB]] | 10.6 MB |
=== PGP Signature ===
[[https://www.savapage.org/download/savapage.asc|savapage.asc]]
=== SHA512 Checksums ===
[[https://www.savapage.org/download/sha512sums.txt|sha512sums.txt]]
====== Package Verification ======
===== PGP Signature =====
//By checking the signature you can be sure that the file you downloaded was created by an official representative of the SavaPage community.//
As an example it is assumed you downloaded ''savapage-setup-0.9.11-linux-x64.bin'' (the release) and ''savapage.asc'' (the detached PGP signature) in the same directory.
The PGP signature file //must// be downloaded from the secure Datraverse site:
$ wget https://www.savapage.org/download/savapage.asc
The release file can be downloaded or acquired elsewhere.
We use the commands of [[https://www.gnupg.org/|GNU Privacy Guard]] but any other OpenPGP compliant program should work as well.
First, we check the detached signature against the release:
$ gpg savapage.asc
gpg: Signature made Tue 03 Feb 2015 01:29:59 PM CET using DSA key ID 575FE2FE
gpg: Can't check signature: public key not found
Looks like we don't have the release manager's public key ''575FE2FE'' in our local system. This can easily be resolved by retrieving the public key from a key server. One popular server is ''pgpkeys.mit.edu'' (which has a [[https://pgp.mit.edu/|web interface]] for easy look-up as well). Public key servers are linked together, so we can connect to any server. We use the command-line to retrieve the public key:
$ gpg --keyserver pgpkeys.mit.edu --recv-key 575FE2FE
gpg: requesting key 575FE2FE from hkp server pgpkeys.mit.edu
gpg: key 575FE2FE: "Rijk Ravestein " 1 new user ID
gpg: key 575FE2FE: "Rijk Ravestein " 2 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: new user IDs: 1
gpg: new signatures: 2
We received a public key for an entity known as "Rijk Ravestein ". Beware, that there is no way of verifying this key was really created by the person known as "Rijk Ravestein". We will come back to this crucial issue later though, let's first try to verify the release signature again:
$ pgp savapage.asc
gpg: Signature made Tue 03 Feb 2015 01:09:58 PM CET using DSA key ID 575FE2FE
gpg: Good signature from "Rijk Ravestein "
gpg: aka "[jpeg image of size 2565]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4D1B E403 E7DB 5484 F8C8 F517 9FE2 CBE8 575F E2FE
The signature is good, meaning that the file has not been tampered with. However, the system reports that the key is not trusted, so we need to additionally verify that key ''575FE2FE'' was created by the real "Rijk Ravestein".
==== Authenticity ====
Even if the downloaded release verifies as technically good, we still need to validate that the key was created by an official representative of the SavaPage community. This check is crucial because any attacker can pose as an official representative by creating a public key, upload it to the public key servers, and create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would verify as good although the key was not the "real" key. Therefore, you need to validate the //authenticity// of the key.
The crucial step to validation is to confirm the //fingerprint// of the public key, which is shown by this command:
$ gpg --fingerprint 575FE2FE
gpg: checking the trustdb
gpg: no ultimately trusted keys found
pub 1024D/575FE2FE 2007-10-10
Key fingerprint = 4D1B E403 E7DB 5484 F8C8 F517 9FE2 CBE8 575F E2FE
uid Rijk Ravestein
uid [jpeg image of size 2565]
sub 2048g/E30B1CDA 2007-10-10
Of course the best way to validate the fingerprint is face-to-face with the key owner, combined with a government-issued photo identification confirmation (a passport or driving license). However, there are more convenient ways, like reading the fingerprint over a telephone (voice verification), or trusting the fingerprint as communicated on the [[https://www.datraverse.com/keys/|Datraverse key site]].
You can apply ultimate trust as follows:
$ gpg --edit-key "Rijk Ravestein"
...
gpg> trust
pub 1024D/575FE2FE created: 2007-10-10 expires: never usage: SCA
trust: marginal validity: unknown
sub 2048g/E30B1CDA created: 2007-10-10 expires: never usage: E
[ unknown] (1). Rijk Ravestein
[ unknown] (2) [jpeg image of size 2565]
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 1024D/575FE2FE created: 2007-10-10 expires: never usage: SCA
trust: ultimate validity: unknown
sub 2048g/E30B1CDA created: 2007-10-10 expires: never usage: E
[ unknown] (1). Rijk Ravestein
[ unknown] (2) [jpeg image of size 2565]
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> quit
Now, when we validate the signature we get:
$ pgp savapage.asc
gpg: Signature made Tue 03 Feb 2015 03:27:17 PM CET using DSA key ID 575FE2FE
...
gpg: Good signature from "Rijk Ravestein "
gpg: aka "[jpeg image of size 2565]"
For more information on determining what level of trust works best for you, please read the GNU Privacy Handbook section on [[https://www.gnupg.org/gph/en/manual.html#AEN335|Validating other keys on your public keyring]].
===== SHA512 Digest =====
//By validating that the SHA512 digest (checksum) of the downloaded file is identical to the one reported on the trusted secure SavaPage site you can be sure that it was created by an official representative of the SavaPage community.//
Since this validation is solely based on the implicit trust of the //secure// connection with the SavaPage site, it is not as strong as the signature check, where the public PGP key of the release manager is the extra authentication factor.
First, download the [[https://www.savapage.org/download/sha512sums.txt|sha512sums.txt]] file.
Then, check the file you downloaded against it. Make sure you save them in the same directory.
As an example:
$ sha512sum -c sha512sums.txt 2> /dev/null | grep savapage-setup-1.0.0-linux-x64.bin
savapage-setup-1.0.0-linux-x64.bin: OK