What’s changing

We’re going to remove the use of SHA-1 in HTTPS for GitHub and our CDNs. This impacts browsers that are used to view the GitHub website, any software that uses the GitHub API, and Git clients that push and pull over HTTPS. These changes will be made to github.com, including GitHub Enterprise Cloud and GitHub Enterprise Cloud with Data Residency. GitHub Enterprise Server will not be affected.

Deprecation schedule

We will conduct a brownout, where we temporarily disable SHA-1 to raise awareness around the deprecation. If you are impacted by the brownout, you will need to plan to add support for more modern TLS algorithms. Our planned schedule for SHA-1 deprecation and removal is as follows:

  • July 14th, 2026: Brownout. We will run a brownout from 00:00 to 18:00 UTC that will disable SHA-1. The brownout will not impact CDNs.
  • September 15th, 2026: SHA-1 in HTTPS / TLS will be completely disabled for GitHub and partner CDNs.

Preparing for removal

For browsers, using a modern and up-to-date browser will ensure your browser supports algorithms newer than SHA-1. Consult your browser’s documentation for more information about the algorithms it supports.

You can test your browser by visiting https://github.dev, where SHA-1 is already disabled. If you can successfully load that site without a connection issue, then your browser supports modern HTTPS configurations.

Similarly, for the API, ensure you are using a modern framework or library to connect to the API.

Finally, for the Git client, ensure you are using a recent version of git. Git supports multiple different libraries or backends that add support for HTTPS. For example, Git on Linux may use OpenSSL as a TLS backend. Ensure you are using a recent version of git with an up-to-date operating system and components.