Datraverse offers a ready-made installation binary and a comprehensive User Manual for download. Fellows receive a Fellowship Card from their Deployment Partner. The Card is their token as resident of the SavaPage Community and is to be imported into the SavaPage application to confirm their status.
The application allows for a 40-days period for Visitors to decide whether to join the Fellowship or not. Although any Visitor is encouraged to join as Fellow, organizations up till 5 participants are allowed a permanent visitor status. All visitors get best-effort support directly from Datraverse. Fellows can purchase support from their Deployment Partner.
For all available packages, please visit the SavaPage download page.
SavaPage is produced with a 100% Open Source toolchain, on computers with 100% Open Source Firmware.
Rolling Release Candidate
This is a stable version, with many improvements and new functions.
Please read the Release Notes.
Build 20160801: August 1, 2016.
User Manual by Rijk Ravestein is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
By checking the signature you can be sure that the file you downloaded was created by an official representative of the SavaPage community.
As an example it is assumed you downloaded
savapage-setup-0.9.11-linux-x64.bin (the release) and
savapage.asc (the detached PGP signature) in the same directory.
The PGP signature file must be downloaded from the secure Datraverse site:
$ wget https://www.savapage.org/download/savapage.asc
The release file can be downloaded or acquired elsewhere.
We use the commands of GNU Privacy Guard but any other OpenPGP compliant program should work as well.
First, we check the detached signature against the release:
$ gpg savapage.asc gpg: Signature made Tue 03 Feb 2015 01:29:59 PM CET using DSA key ID 575FE2FE gpg: Can't check signature: public key not found
Looks like we don't have the release manager's public key
575FE2FE in our local system. This can easily be resolved by retrieving the public key from a key server. One popular server is
pgpkeys.mit.edu (which has a web interface for easy look-up as well). Public key servers are linked together, so we can connect to any server. We use the command-line to retrieve the public key:
$ gpg --keyserver pgpkeys.mit.edu --recv-key 575FE2FE gpg: requesting key 575FE2FE from hkp server pgpkeys.mit.edu gpg: key 575FE2FE: "Rijk Ravestein <firstname.lastname@example.org>" 1 new user ID gpg: key 575FE2FE: "Rijk Ravestein <email@example.com>" 2 new signatures gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: new user IDs: 1 gpg: new signatures: 2
We received a public key for an entity known as “Rijk Ravestein firstname.lastname@example.org”. Beware, that there is no way of verifying this key was really created by the person known as “Rijk Ravestein”. We will come back to this crucial issue later though, let's first try to verify the release signature again:
$ pgp savapage.asc gpg: Signature made Tue 03 Feb 2015 01:09:58 PM CET using DSA key ID 575FE2FE gpg: Good signature from "Rijk Ravestein <email@example.com>" gpg: aka "[jpeg image of size 2565]" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4D1B E403 E7DB 5484 F8C8 F517 9FE2 CBE8 575F E2FE
The signature is good, meaning that the file has not been tampered with. However, the system reports that the key is not trusted, so we need to additionally verify that key
575FE2FE was created by the real “Rijk Ravestein”.
Even if the downloaded release verifies as technically good, we still need to validate that the key was created by an official representative of the SavaPage community. This check is crucial because any attacker can pose as an official representative by creating a public key, upload it to the public key servers, and create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would verify as good although the key was not the “real” key. Therefore, you need to validate the authenticity of the key.
The crucial step to validation is to confirm the fingerprint of the public key, which is shown by this command:
$ gpg --fingerprint 575FE2FE gpg: checking the trustdb gpg: no ultimately trusted keys found pub 1024D/575FE2FE 2007-10-10 Key fingerprint = 4D1B E403 E7DB 5484 F8C8 F517 9FE2 CBE8 575F E2FE uid Rijk Ravestein <firstname.lastname@example.org> uid [jpeg image of size 2565] sub 2048g/E30B1CDA 2007-10-10
Of course the best way to validate the fingerprint is face-to-face with the key owner, combined with a government-issued photo identification confirmation (a passport or driving license). However, there are more convenient ways, like reading the fingerprint over a telephone (voice verification), or trusting the fingerprint as communicated on the Datraverse key site.
You can apply ultimate trust as follows:
$ gpg --edit-key "Rijk Ravestein" ... gpg> trust pub 1024D/575FE2FE created: 2007-10-10 expires: never usage: SCA trust: marginal validity: unknown sub 2048g/E30B1CDA created: 2007-10-10 expires: never usage: E [ unknown] (1). Rijk Ravestein <email@example.com> [ unknown] (2) [jpeg image of size 2565]
Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub 1024D/575FE2FE created: 2007-10-10 expires: never usage: SCA trust: ultimate validity: unknown sub 2048g/E30B1CDA created: 2007-10-10 expires: never usage: E [ unknown] (1). Rijk Ravestein <firstname.lastname@example.org> [ unknown] (2) [jpeg image of size 2565] Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> quit
Now, when we validate the signature we get:
$ pgp savapage.asc gpg: Signature made Tue 03 Feb 2015 03:27:17 PM CET using DSA key ID 575FE2FE ... gpg: Good signature from "Rijk Ravestein <email@example.com>" gpg: aka "[jpeg image of size 2565]"
For more information on determining what level of trust works best for you, please read the GNU Privacy Handbook section on Validating other keys on your public keyring.
By validating that the SHA512 digest (checksum) of the downloaded file is identical to the one reported on the trusted secure Datraverse site you can be sure that it was created by an official representative of the SavaPage community.
Since this validation is solely based on the implicit trust of the secure connection with the Datraverse site, it is not as strong as the signature check, where the public PGP key of the release manager is the extra authentication factor.
First, download the SHA512SUMS file.
Then, check the file you downloaded against it. Make sure you save them in the same directory.
As an example:
$ sha512sum -c sha512sums.txt 2> /dev/null | grep savapage-setup-0.9.11-linux-x64.bin savapage-setup-0.9.11-linux-x64.bin: OK