Skip to content

docs: add sha/md5 checksums of keyring files#13150

Merged
babakks merged 1 commit intotrunkfrom
babakks/add-keyring-sha-md5-sums
Apr 13, 2026
Merged

docs: add sha/md5 checksums of keyring files#13150
babakks merged 1 commit intotrunkfrom
babakks/add-keyring-sha-md5-sums

Conversation

@babakks
Copy link
Copy Markdown
Member

@babakks babakks commented Apr 13, 2026

This PR adds SHA/MD5 checksums of our PGP keyring files (for Linux repositories) to help with users who need them for verification.

Verification

To verify that the checksums are correct, you can run these commands:

curl -fsSL -o githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg
sha256sum githubcli-archive-keyring.gpg
sha512sum githubcli-archive-keyring.gpg
md5sum githubcli-archive-keyring.gpg
curl -fsSL -o githubcli-archive-keyring.asc https://cli.github.com/packages/githubcli-archive-keyring.asc
sha256sum githubcli-archive-keyring.asc
sha512sum githubcli-archive-keyring.asc
md5sum githubcli-archive-keyring.asc

@babakks babakks requested a review from a team as a code owner April 13, 2026 08:26
@babakks babakks requested review from BagToad and Copilot April 13, 2026 08:26
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds published checksums for the official GitHub CLI Linux repository keyring files to make it easier for users to verify downloads.

Changes:

  • Adds a collapsible section listing SHA256/SHA512/MD5 checksums for the .gpg and .asc keyring files.
  • Documents both binary and ASCII-armored keyring URLs alongside their checksums.
Show a summary per file
File Description
docs/install_linux.md Adds a <details> section under the Linux install “IMPORTANT” callout that lists checksums for the published keyring files.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

docs/install_linux.md:26

  • Same as above: MD5 is collision-prone and shouldn’t be presented as an equally secure verification option. Consider adding a brief disclaimer near the checksums that MD5 is for legacy tooling only and recommend SHA256/SHA512 instead.
>    SHA512: 2ca9487d88a508a1c87f06b46ba336b11cc5f20bd83915b4c2acde49d2cffbbce76af1641bf8494c29a765f96bc1fd694ebde2954b28b80dcc76376b6f1b766d
>    MD5:    97100400ef48007b69e42be348cc6582
>    ```
  • Files reviewed: 1/1 changed files
  • Comments generated: 2

Comment thread docs/install_linux.md Outdated
Comment thread docs/install_linux.md
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds published SHA/MD5 checksum values for the Linux repository keyring files to the Linux installation documentation to help users verify downloaded keyrings.

Changes:

  • Adds a collapsible section containing SHA256/SHA512/MD5 checksums for the .gpg and .asc keyring files.
  • Includes guidance discouraging MD5 usage except for legacy environments.
Show a summary per file
File Description
docs/install_linux.md Documents checksum values for official keyring downloads to support user verification workflows.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

docs/install_linux.md:16

  • The phrasing "SHA256/512" is a bit ambiguous; it would be clearer to refer to the algorithms explicitly as "SHA256 and SHA512" (or "SHA-256/SHA-512"). Since these values are hard-coded, consider also noting that they will be updated when the hosted keyring files change so users understand a future mismatch may indicate an updated keyring rather than a bad download.
>  **For security reasons, it is strongly recommended to only rely on SHA256/512 checksums. MD5 checksums below are only for legacy systems where SHA256/512 tooling is not available.**
>
  • Files reviewed: 1/1 changed files
  • Comments generated: 1

Comment thread docs/install_linux.md Outdated
Signed-off-by: Babak K. Shandiz <babakks@github.com>
@babakks babakks force-pushed the babakks/add-keyring-sha-md5-sums branch from cc9c90c to 274a5d6 Compare April 13, 2026 09:16
@babakks babakks self-assigned this Apr 13, 2026
@babakks babakks merged commit 9687208 into trunk Apr 13, 2026
6 checks passed
@babakks babakks deleted the babakks/add-keyring-sha-md5-sums branch April 13, 2026 17:00
Copy link
Copy Markdown

@elizandamlagokk-lab elizandamlagokk-lab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

47e7b7cd74f578e1e3145d48f669f22fd1330ca6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants