Sunsetting SHA-1 in HTTPS on GitHub

Source: GitHub Changelog

What’s changing

We’re going to remove the use of SHA‑1 in HTTPS for GitHub and our CDNs. This impacts browsers that are used to view the GitHub website, any software that uses the GitHub API, and Git clients that push and pull over HTTPS. These changes will be made to github.com, including GitHub Enterprise Cloud and GitHub Enterprise Cloud with Data Residency. GitHub Enterprise Server will not be affected.

Deprecation schedule

We will conduct a brownout, where we temporarily disable SHA‑1 to raise awareness around the deprecation. If you are impacted by the brownout, you will need to plan to add support for more modern TLS algorithms. Our planned schedule for SHA‑1 deprecation and removal is as follows:

• July 14th, 2026 – Brownout. We will run a brownout from 00:00 to 18:00 UTC that will disable SHA‑1. The brownout will not impact CDNs.
• September 15th, 2026 – SHA‑1 in HTTPS/TLS will be completely disabled for GitHub and partner CDNs.

Preparing for removal

Browsers

• Using a modern, up‑to‑date browser will ensure support for algorithms newer than SHA‑1. Consult your browser’s documentation for details about the algorithms it supports. You can test your browser by visiting https://github.dev, where SHA‑1 is already disabled. If the site loads without a connection issue, your browser supports modern HTTPS configurations.

API clients

• Ensure you are using a modern framework or library to connect to the GitHub API.

Git clients

• Use a recent version of Git. Git can use various TLS backends (e.g., OpenSSL on Linux). Make sure you have an up‑to‑date Git version, operating system, and related components.