The Meta API endpoint previously contained MD5 signatures for GitHub’s SSH public keys. We have now deprecated these in favor of the newer SHA-256 fingerprints. Developers verifying the authenticity of GitHub’s keys should use the SHA-256 signature because it is a more modern cryptographic hash function. MD5 should not be used for security purposes to verify cryptographic identity, due to known collisions.

 

If your app dynamically fetches the MD5_RSA and MD5_DSA fields, please ensure that you have migrated to the SHA256_RSA and SHA256_DSA fingerprints. The old fingerprints are reprinted below, if static copies are needed for migration purposes. If your app doesn’t use the MD5_RSA and MD5_DSA fields, then your app will be unaffected by this change.

 

"MD5_RSA": "16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48"
"MD5_DSA": "ad:1c:08:a4:40:e3:6f:9c:f5:66:26:5d:4b:33:5d:8c"