Skip to content

Meta API Deprecation of MD5 Signatures

The Meta API endpoint previously contained MD5 signatures for GitHub’s SSH public keys. We have now deprecated these in favor of the newer SHA-256 fingerprints. Developers verifying the authenticity of GitHub’s keys should use the SHA-256 signature because it is a more modern cryptographic hash function. MD5 should not be used for security purposes to verify cryptographic identity, due to known collisions.

 

If your app dynamically fetches the MD5_RSA and MD5_DSA fields, please ensure that you have migrated to the SHA256_RSA and SHA256_DSA fingerprints. The old fingerprints are reprinted below, if static copies are needed for migration purposes. If your app doesn’t use the MD5_RSA and MD5_DSA fields, then your app will be unaffected by this change.

 

"MD5_RSA": "16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48"
"MD5_DSA": "ad:1c:08:a4:40:e3:6f:9c:f5:66:26:5d:4b:33:5d:8c"

Packages container support is an opt-in beta

You can now more easily opt-in to the public beta of GitHub Packages' improved containers experience. New users and organizations can opt-in to the beta for their organization using either organization settings, or for their user account using user feature preview.

Current organizations and users of the Packages containers beta will be automatically opted-in for continued access to service.

See Enabling improved container support for more information.

See more
View all changes