This is an old revision of the document!


Software Packages

Datraverse offers a ready-made installation binary and a comprehensive User Manual for download. Residents receive a Member Card from their Deployment Partner. The Card is their token as resident of the SavaPage Community and is to be imported into the SavaPage application to confirm their status.

The application allows for a 40-days period for Visitors to decide whether to join the Community as Resident or not. Although any Visitor is encouraged to join as Resident, organizations up till 5 participants are allowed a permanent visitor status. All visitors get best-effort support directly from Datraverse. Residents can purchase support from their Deployment Partner.


For all available packages, visit the SavaPage download page.


Known Issues

Rolling Release Candidate 2021-12-01

This is a stable version, with improvements and new functions.
Please read the Release Notes : a database upgrade might be needed.

GNU Affero General Public License
Software is licensed under GNU Affero General Public License (AGPL) version 3 or any later version in compliance with Third Party Software Component Licenses.

CC BY-SA 4.0
User Manual is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License

Build 20210809: August 9, 2021
Please read the Release Notes : a database upgrade might be needed.

SavaPage Installer

GNU Affero General Public License
Distribution is licensed under GNU Affero General Public License (AGPL) version 3 or any later version in compliance with Third Party Software Component Licenses.

Distribution Size
SavaPage 1.3.0-final • 64-bit 106.0 MB

User Manual

PGP Signature

SHA512 Checksums

Package Verification

By checking the signature you can be sure that the file you downloaded was created by an official representative of the SavaPage community.

As an example it is assumed you downloaded savapage-setup-0.9.11-linux-x64.bin (the release) and savapage.asc (the detached PGP signature) in the same directory.

The PGP signature file must be downloaded from the secure Datraverse site:

$ wget https://www.savapage.org/download/savapage.asc

The release file can be downloaded or acquired elsewhere.

We use the commands of GNU Privacy Guard but any other OpenPGP compliant program should work as well.

First, we check the detached signature against the release:

$ gpg savapage.asc
gpg: Signature made Tue 03 Feb 2015 01:29:59 PM CET using DSA key ID 575FE2FE
gpg: Can't check signature: public key not found

Looks like we don't have the release manager's public key 575FE2FE in our local system. This can easily be resolved by retrieving the public key from a key server. One popular server is pgpkeys.mit.edu (which has a web interface for easy look-up as well). Public key servers are linked together, so we can connect to any server. We use the command-line to retrieve the public key:

$ gpg --keyserver pgpkeys.mit.edu --recv-key 575FE2FE
gpg: requesting key 575FE2FE from hkp server pgpkeys.mit.edu
gpg: key 575FE2FE: "Rijk Ravestein <rijkr@datraverse.nl>" 1 new user ID
gpg: key 575FE2FE: "Rijk Ravestein <rijkr@datraverse.nl>" 2 new signatures
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:           new user IDs: 1
gpg:         new signatures: 2

We received a public key for an entity known as “Rijk Ravestein rijkr@datraverse.nl”. Beware, that there is no way of verifying this key was really created by the person known as “Rijk Ravestein”. We will come back to this crucial issue later though, let's first try to verify the release signature again:

$ pgp savapage.asc
gpg: Signature made Tue 03 Feb 2015 01:09:58 PM CET using DSA key ID 575FE2FE
gpg: Good signature from "Rijk Ravestein <rijkr@datraverse.nl>"
gpg:                 aka "[jpeg image of size 2565]"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4D1B E403 E7DB 5484 F8C8  F517 9FE2 CBE8 575F E2FE

The signature is good, meaning that the file has not been tampered with. However, the system reports that the key is not trusted, so we need to additionally verify that key 575FE2FE was created by the real “Rijk Ravestein”.

Even if the downloaded release verifies as technically good, we still need to validate that the key was created by an official representative of the SavaPage community. This check is crucial because any attacker can pose as an official representative by creating a public key, upload it to the public key servers, and create a malicious release signed by this fake key. Then, if you tried to verify the signature of this corrupt release, it would verify as good although the key was not the “real” key. Therefore, you need to validate the authenticity of the key.

The crucial step to validation is to confirm the fingerprint of the public key, which is shown by this command:

$ gpg --fingerprint 575FE2FE
gpg: checking the trustdb
gpg: no ultimately trusted keys found
pub   1024D/575FE2FE 2007-10-10
      Key fingerprint = 4D1B E403 E7DB 5484 F8C8  F517 9FE2 CBE8 575F E2FE
uid                  Rijk Ravestein <rijkr@datraverse.nl>
uid                  [jpeg image of size 2565]
sub   2048g/E30B1CDA 2007-10-10

Of course the best way to validate the fingerprint is face-to-face with the key owner, combined with a government-issued photo identification confirmation (a passport or driving license). However, there are more convenient ways, like reading the fingerprint over a telephone (voice verification), or trusting the fingerprint as communicated on the Datraverse key site.

You can apply ultimate trust as follows:

$ gpg --edit-key "Rijk Ravestein"
...
gpg> trust
pub  1024D/575FE2FE  created: 2007-10-10  expires: never       usage: SCA
                     trust: marginal      validity: unknown
sub  2048g/E30B1CDA  created: 2007-10-10  expires: never       usage: E
[ unknown] (1). Rijk Ravestein <rijkr@datraverse.nl>
[ unknown] (2)  [jpeg image of size 2565]

Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub  1024D/575FE2FE  created: 2007-10-10  expires: never       usage: SCA
                     trust: ultimate      validity: unknown
sub  2048g/E30B1CDA  created: 2007-10-10  expires: never       usage: E
[ unknown] (1). Rijk Ravestein <rijkr@datraverse.nl>
[ unknown] (2)  [jpeg image of size 2565]
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit

Now, when we validate the signature we get:

$ pgp savapage.asc
gpg: Signature made Tue 03 Feb 2015 03:27:17 PM CET using DSA key ID 575FE2FE
...
gpg: Good signature from "Rijk Ravestein <rijkr@datraverse.nl>"
gpg:                 aka "[jpeg image of size 2565]"

For more information on determining what level of trust works best for you, please read the GNU Privacy Handbook section on Validating other keys on your public keyring.

By validating that the SHA512 digest (checksum) of the downloaded file is identical to the one reported on the trusted secure SavaPage site you can be sure that it was created by an official representative of the SavaPage community.

Since this validation is solely based on the implicit trust of the secure connection with the SavaPage site, it is not as strong as the signature check, where the public PGP key of the release manager is the extra authentication factor.

First, download the sha512sums.txt file.

Then, check the file you downloaded against it. Make sure you save them in the same directory.

As an example:

$ sha512sum -c sha512sums.txt 2> /dev/null | grep savapage-setup-1.0.0-linux-x64.bin 
savapage-setup-1.0.0-linux-x64.bin: OK
  • software_packages.1638357653.txt.gz
  • Last modified: 2021/12/01 12:20
  • by rijk