The Meta API endpoint
previously contained MD5 signatures for GitHub’s SSH public keys. We have now deprecated these in favor of the newer SHA-256 fingerprints. Developers verifying the authenticity of GitHub’s keys should use the SHA-256 signature because it is a more modern cryptographic hash function. MD5 should not be used for security purposes to verify cryptographic identity, due to known collisions.
If your app dynamically fetches the MD5_RSA and MD5_DSA fields, please ensure that you have migrated to the SHA256_RSA and SHA256_DSA fingerprints. The old fingerprints are reprinted below, if static copies are needed for migration purposes. If your app doesn’t use the MD5_RSA and MD5_DSA fields, then your app will be unaffected by this change.