diff --git a/docs/nmap-install.xml b/docs/nmap-install.xml
index eb13c8602..adefa1429 100644
--- a/docs/nmap-install.xml
+++ b/docs/nmap-install.xml
@@ -154,21 +154,21 @@ sub 2048g/A50A6A94 2005-04-24
For every Nmap package download file
(e.g. nmap-4.76.tar.bz2 and
nmap-4.76-win32.zip), there is a corresponding
-file in the sigs directory with .gpg.txt appended
-to the name (e.g. nmap-4.76.tar.bz2.gpg.txt).
+file in the sigs directory with .asc appended
+to the name (e.g. nmap-4.76.tar.bz2.asc).
This is the detached signature file.
With the proper PGP key in your keyring and the detached
signature file downloaded, verifying an Nmap release takes a single
GPG command, as shown in . If the file has been
+linkend="ex-gpg-verify-nmap-release-good" xrefstyle="select: label nopage"/>. That example assumes that the verified file can be found in the same directory by simply removing .asc
from the signature filename. When that isn't the case, simply pass the target filename as the final argument to GPG. If the file has been
tampered with, the results will look like .
Verifying PGP key fingerprints (Successful)
-flog> gpg --verify nmap-4.76.tar.bz2.gpg.txt nmap-4.76.tar.bz2
+flog> gpg --verify nmap-4.76.tar.bz2.asc
gpg: Signature made Fri 12 Sep 2008 02:03:59 AM PDT using DSA key ID 6B9355D0
gpg: Good signature from "Nmap Project Signing Key (http://www.insecure.org/)"
@@ -176,13 +176,13 @@ gpg: Good signature from "Nmap Project Signing Key (http://www.insecure.org/)"
Detecting a bogus file
-flog> gpg --verify nmap-4.76.tar.bz2.gpg.txt nmap-4.76-hacked.tar.bz2
+flog> gpg --verify nmap-4.76.tar.bz2.asc nmap-4.76-hacked.tar.bz2
gpg: Signature made Fri 12 Sep 2008 02:03:59 AM PDT using DSA key ID 6B9355D0
gpg: BAD signature from "Nmap Project Signing Key (http://www.insecure.org/)"
While PGP signatures are the recommended validation technique,
-SHA1 and MD5 (among other)
+SHA2, SHA1, and MD5 (among other)
hasheshashes, cryptographicdigests, cryptographic
are made available for more casual
validation. An attacker who can manipulate your Internet traffic in
@@ -196,8 +196,7 @@ file, there is a corresponding file in the sigs directory w
(e.g. nmap-4.76.tar.bz2.digest.txt). An example
is shown in . This is the detached
signature file. The hashes from the digest file can be verified using common tools such as
-sha1sum, md5sum,
-or gpg, as shown in gpg, sha1sum, or md5sum, as shown in .
@@ -221,12 +220,13 @@ nmap-4.76.tgz: SHA512 = 826CD89F 7930A765 C9FE9B41 1DAFD113 2C883857 2A3A9503
Verifying Nmap hashes
+flog> gpg --print-md sha256 nmap-4.76.tgz
+nmap-4.76.tgz: 0E960E05 53EB7647 0C8517A0 038092A3 969DB65C BE23C03F D6DAEF1A
+ CDCC9658
flog> sha1sum nmap-4.76.tgz
4374cf9ca8822c285de9d00e8f6706d0bcfaa403 nmap-4.76.tgz
flog> md5sum nmap-4.76.tgz
54b5c9e3f44c1adde17df68170eb7cfe nmap-4.76.tgz
-flog> gpg --print-md sha1 nmap-4.76.tgz
-nmap-4.76.tgz: 4374 CF9C A882 2C28 5DE9 D00E 8F67 06D0 BCFA A403
While releases from Nmap.Org are signed as described in this