Link to issue for design submission
Acerca de GitHub
Skip to content
Navigation Menu
Dashboard
Construyamos a partir de aquí
La plataforma integral para desarrollar, escalar y entregar software seguro.
150M+ Desarrolladores
4M+ Organizaciones
420M+ Repositorios
90 % Fortune 100
Blog
Infórmate sobre innovaciones y actualizaciones de productos, anuncios de la empresa, historias destacadas de la comunidad y mucho más.
Aprende más
Recursos de la marca
¿Quieres usar a Mona, la octogata? ¿Quieres mostrar correctamente el logotipo de GitHub en tu proyecto más reciente? Descarga los recursos y consulta cómo y dónde usarlos.
Aprende más
Historias de la comunidad
Cada día, las personas desarrolladoras construyen el futuro en GitHub. Conoce sus historias, celebra sus logros e inspírate para tus propios proyectos.
Aprende más
Historias de clientes
Descubre cómo algunas de las empresas más influyentes del mundo usan GitHub para ofrecer los mejores servicios, productos y experiencias a sus clientes.
Aprende más
Trabajos
Ayúdanos a construir el hogar para todas las personas desarrolladoras. Somos un grupo de personas apasionadas por el desarrollo de software y la colaboración. ¡Únete a nosotros!
Aprende más
GitHub Status
Supervisamos de forma continua el estado de github.com y todos sus servicios relacionados. Las actualizaciones y las interrupciones del estado se publican aquí en tiempo real.
Aprende más
Liderazgo
Conoce al equipo de liderazgo que nos guía en este camino para construir la plataforma de desarrollo de software más grande y avanzada del mundo.
Aprende más
Octoverso
Explora a fondo nuestro informe anual Estado del Octoverso, que analiza las tendencias y patrones del código y las comunidades que se desarrollan en GitHub.
Aprende más
Política
Nos enfocamos en defender los derechos de quienes se dedican al desarrollo mediante la formulación de políticas que promuevan sus intereses y el futuro del software.
Aprende más
Prensa
Explora las noticias más recientes sobre nuestra empresa, productos y comunidad global.
Aprende más
Impacto social
Descubre cómo las personas, los productos y la plataforma de GitHub impulsan un cambio positivo y duradero en todo el mundo.
Aprende más
Proposed Design
cli
cli
Repository navigation
Code
Issues
923
(923)
Pull requests
34
(34)
Agents
Discussions
Actions
Projects
Security and quality
5
(5)
Insights
Upcoming PGP signing key rotation for GitHub CLI Linux packages #13118
Open
Open
Upcoming PGP signing key rotation for GitHub CLI Linux packages
#13118
@babakks
Description
babakks
opened last week · edited by babakks
Member
Note
This issue only affects Linux users who install gh from our APT or RPM package repositories. If you are on Windows or macOS, or you installed gh via Homebrew, GitHub Releases, or built from source code, this does not apply to you.
What's happening?
Am I affected?
How to confirm locally installed keyring?
Debian/Ubuntu
RHEL/Fedora/CentOS/openSUSE/SUSE/Amazon Linux 2
What do I need to do?
New users
Existing APT users (Debian/Ubuntu)
Docker build failing?
Existing RPM users (Fedora, RHEL, CentOS, Amazon Linux 2, openSUSE/SUSE)
DNF5 (Fedora 41 or newer)
DNF4 (CentOS, RHEL, Fedora 40 or earlier)
Yum (Amazon Linux 2)
Zypper (openSUSE/SUSE)
Removing old key from RPM keyrings
Background
Final notes
What's happening?
The PGP key currently used to verify GitHub CLI Linux packages is expiring on Saturday, September 5, 2026. We have generated a new key and have already published an updated keyring file that contains both the old and new keys on Wednesday, April 8, 2026. This table lists the current and the new PGP key fingerprint:
Key Fingerprint
Current key (expires September 5, 2026) 2C6106201985B60E6C7AC87323F3D4EA75716059
New key 7F38BBB59D064DBCB3D84D725612B36462313325
As a background, back in September 2024, our PGP signing key expired (#9569), disrupting Linux package installs and updates. At that time, we extended the expiration of the existing key as an emergency fix. This time, however, we are proactively rotating to a brand-new key well ahead of the expiry date.
Check out Am I affected? below to see if you are going to be affected by this change. For affected users, package install and update operations that rely on the old key will start failing after the expiry date unless you follow the steps outlined in this document. Typical error/warning messages look like any of the following:
W: Failed to fetch https://cli.github.com/packages/dists/stable/InRelease The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI opensource+cli@github.com The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5612B36462313325
Transaction failed: Signature verification failed.
OpenPGP check for package ... from repo "gh-cli" has failed: Import of the key didn't help, wrong key?
The GPG keys listed for the "packages for the GitHub CLI" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: gh...
GPG Keys are configured as: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x23F3D4EA75716059
...
Error: GPG check FAILED
The GPG keys listed for the "packages for the GitHub CLI" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.
Failing package is: gh...
GPG Keys are configured as: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x23F3D4EA75716059
Warning: File 'repomd.xml' from repository 'packages for the GitHub CLI' is signed with an unknown key '5612B36462313325'
...
Warning: We can't verify that no one meddled with this file, so it might not be
trustworthy anymore! You should not continue unless you know it's safe.
...
Repository 'packages for the GitHub CLI' is invalid.
[gh-cli|https://cli.github.com/packages/rpm] Valid metadata not found at specified URL
History:
- Signature verification failed for repomd.xml
- Can't provide /repodata/repomd.xml
gh-... (packages for the GitHub CLI): Signature verification failed [4-Signatures public key is not available]
Warning: File 'repomd.xml' from repository 'packages for the GitHub CLI' is signed with an unknown key '5612B36462313325'
...
Warning: We can't verify that no one meddled with this file, so it might not be
trustworthy anymore! You should not continue unless you know it's safe.
...
Repository 'packages for the GitHub CLI' is invalid.
[gh-cli|https://cli.github.com/packages/rpm] Failed to retrieve new repository metadata.
History:
- Signature verification failed for repomd.xml
error: Verifying a signature using certificate 2C6106201985B60E6C7AC87323F3D4EA75716059 (GitHub CLI opensource+cli@github.com):
- Certificate 23F3D4EA75716059 invalid: certificate is not alive
because: The primary key is not live
because: Expired on 2026-09-05T12:44:10Z
- Key 23F3D4EA75716059 invalid: key is not alive
because: The primary key is not live
because: Expired on 2026-09-05T12:44:10Z
Am I affected?
Scenario Affected?
You cannot install or upgrade gh Probably. See Existing APT users or Existing RPM users.
Installed gh via apt before the new keyring was published (April 8, 2026) and haven't re-run the installation steps since Yes. See Existing APT users.
Installed gh via dnf, yum, or zypper before the new keyring was published (April 8, 2026) and haven't re-run the installation steps since Yes. See Existing RPM users.
Installed gh using official docs after the new keyring was published (April 8, 2026) No. Your keyring already contains the new key.
Installed gh via Homebrew, Conda, a community package manager, or from precompiled binaries No. These methods do not use our PGP key.
You do not remember when you installed gh See How to confirm locally installed keyring?
How to confirm locally installed keyring?
If you do not remember when you installed gh from the official docs, you can easily confirm if you are going to be affected by checking your local configuration. Follow the subsection that applies to you.
Debian/Ubuntu
Tip
If gpg is not installed, you can install it with:
sudo apt update
sudo apt install gnupg
Check how many keys are in your local keyring file:
gpg --show-keys /etc/apt/keyrings/githubcli-archive-keyring.gpg
Tip
If the file is not found at that path, try the older location:
gpg --show-keys /usr/share/keyrings/githubcli-archive-keyring.gpg
If you still cannot find the keyring file, check your APT source entry to see the path it references:
cat /etc/apt/sources.list.d/github-cli.list
Look for the signed-by= value in the output, which points to your keyring file path.
If the output shows two public key entries (with fingerprints 2C6106201985B60E6C7AC87323F3D4EA75716059 and 7F38BBB59D064DBCB3D84D725612B36462313325), you already have the updated keyring and no action is needed. This is what the output should look like:
pub rsa4096 2022-09-06 [SC] [expires: 2026-09-05]
2C6106201985B60E6C7AC87323F3D4EA75716059
uid GitHub CLI opensource+cli@github.com
sub rsa4096 2022-09-06 [E] [expires: 2026-09-05]
pub rsa4096 2026-04-07 [SC]
7F38BBB59D064DBCB3D84D725612B36462313325
uid GitHub CLI opensource+cli@github.com
sub rsa4096 2026-04-07 [E]
If only one key is listed (the old key 2C6106201985B60E6C7AC87323F3D4EA75716059), you need to update your keyring. See Existing APT users.
RHEL/Fedora/CentOS/openSUSE/SUSE/Amazon Linux 2
Check which GitHub CLI keys are imported in your RPM keyring:
rpm -qa gpg-pubkey | xargs -I{} sh -c 'rpm -qi {} | grep -q "opensource+cli@github.com" && echo {}'
If the output includes only one entry (the old key), you will need to update. See Existing RPM users.
If you see a second key entry, your system already has the new key and no action is needed.
What do I need to do?
New users
If you are installing gh for the first time, simply follow the standard Linux installation instructions. The current keyring file already contains the new key, so no extra steps are needed. This also applies if you installed gh for the first time after the new keyring was published (April 8, 2026).
Existing APT users (Debian/Ubuntu)
You need to replace your local copy of the keyring file. Run either of the following commands to download the updated keyring:
Using wget
sudo mkdir -p -m 755 /etc/apt/keyrings
sudo wget -qO /etc/apt/keyrings/githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg
&& sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
Using curl
sudo mkdir -p -m 755 /etc/apt/keyrings
sudo curl -fsSL -o /etc/apt/keyrings/githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg
&& sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
Then update your package lists and upgrade gh:
sudo apt update
sudo apt install gh
Note
If your keyring file is located elsewhere (e.g., under /usr/share/keyrings/), you should update that path in the command above. However, the recommended location is /etc/apt/keyrings/. Regardless of the path, make sure the signed-by field in the APT source entry (at /etc/apt/sources.list.d/github-cli.list) points at the right keyring file.
Tip
You can verify the updated keyring contains both keys by running:
gpg --show-keys /etc/apt/keyrings/githubcli-archive-keyring.gpg
You should see an output like this:
pub rsa4096 2022-09-06 [SC] [expired: 2026-09-05]
2C6106201985B60E6C7AC87323F3D4EA75716059
uid GitHub CLI opensource+cli@github.com
sub rsa4096 2022-09-06 [E] [expired: 2026-09-05]
pub rsa4096 2026-04-07 [SC]
7F38BBB59D064DBCB3D84D725612B36462313325
uid GitHub CLI opensource+cli@github.com
sub rsa4096 2026-04-07 [E]
Docker build failing?
If your Docker build is failing because a layer previously added our package repository and a later layer runs apt update or apt-get update, you need to ensure the updated keyring is present.
If you control the layer that adds the keyring, rebuild it so it pulls the latest keyring file.
If you don't control that layer, add a new layer before any apt update or apt-get update that fetches the updated keyring:
RUN wget -qO /etc/apt/keyrings/githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg
&& chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
Or if you prefer using curl:
RUN curl -fsSL -o /etc/apt/keyrings/githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg
&& chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
If you don't use gh at all and it just happens to be in a base image, you can remove the repository so that apt update or apt-get update no longer try to verify it:
sudo rm /etc/apt/sources.list.d/github-cli.list
Existing RPM users (Fedora, RHEL, CentOS, Amazon Linux 2, openSUSE/SUSE)
RPM-based systems import PGP keys into their own keyring at install time. To pick up the new key, you need to re-fetch the repository configuration file, which now references an updated keyring. Choose the instructions matching your package manager below.
Note that when upgrading gh at the end, your package manager will prompt you to confirm importing the PGP keys. Verify that the key fingerprints match the following:
Old key: 2C6106201985B60E6C7AC87323F3D4EA75716059
New key: 7F38BBB59D064DBCB3D84D725612B36462313325
Important
Instructions below mimic our Linux installation guide. So, please make sure you follow the heading that you originally used to install gh.
DNF5 (Fedora 41 or newer)
Tip
Run dnf --version if you are unsure what version you are using.
Note
Ensure the config-manager plugin is installed (for example, sudo dnf install dnf5-plugins).
sudo dnf config-manager addrepo --overwrite --from-repofile=https://cli.github.com/packages/rpm/gh-cli.repo
sudo dnf update gh
DNF4 (CentOS, RHEL, Fedora 40 or earlier)
Tip
Run dnf --version if you are unsure what version you are using.
Note
Ensure the config-manager plugin is installed (for example, sudo dnf install 'dnf-command(config-manager)').
sudo dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
sudo dnf update gh
Yum (Amazon Linux 2)
Note
Ensure the config-manager plugin is installed (for example, sudo yum install yum-utils).
sudo yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
sudo yum update gh
Zypper (openSUSE/SUSE)
sudo zypper removerepo gh-cli
sudo zypper addrepo https://cli.github.com/packages/rpm/gh-cli.repo
sudo zypper update gh
Removing old key from RPM keyrings
If you still encounter key verification errors after re-adding the repository, you may need to remove the old key from the RPM keyring first:
Find the old PGP key:
sudo rpm -qa gpg-pubkey
Our old PGP key is usually named gpg-pubkey-75716059-63172e8a or gpg-pubkey-2c6106201985b60e6c7ac87323f3d4ea75716059-63172e8a. You can confirm the correct key by checking its Packager field:
sudo rpm -qi gpg-pubkey-75716059-63172e8a
or
sudo rpm -qi gpg-pubkey-2c6106201985b60e6c7ac87323f3d4ea75716059-63172e8a
The Packager should be GitHub CLI opensource+cli@github.com.
Once you have confirmed the Packager, remove the old PGP key:
sudo rpm -e gpg-pubkey-75716059-63172e8a
or
sudo rpm -e gpg-pubkey-2c6106201985b60e6c7ac87323f3d4ea75716059-63172e8a
Then remove and reinstall gh:
sudo dnf remove gh
sudo dnf install gh
(Replace dnf with yum or zypper as appropriate.)
Background
In September 2024, our PGP signing key expired (#9569), disrupting Linux package installs and updates. At that time, we extended the expiration of the existing key as an emergency fix.
This time, we are proactively rotating to a brand-new key well ahead of the expiry date. The updated keyring files (binary .gpg and ASCII armored .asc) already contain both the old and new keys, so anyone who has installed gh following our Linux installation instructions since April 8, 2026, is already covered.
Final notes
We apologize for any inconvenience this may cause. By announcing well in advance, we hope to give everyone enough time to update their keyring before the old key expires.
If you run into any problems, please follow up on this issue and we'll do our best to help.
Thank you for your patience and for using GitHub CLI!
Activity
babakks
added
enhancement
a request to improve CLI
packaging
last week
github-actions
added
needs-triage
needs to be reviewed
last week
cli
deleted a comment from github-actions last week
babakks
removed
needs-triage
needs to be reviewed
last week
babakks
pinned this issue last week
github-actions
mentioned this in 3 issues last week
GitHub Changelog:New PGP signing key for GitHub CLI Linux packages renefritze/github-changelog-reader#483
GitHub Changelog:New PGP signing key for GitHub CLI Linux packages abirismyname/github-changelog-reader#872
GitHub Changelog:New PGP signing key for GitHub CLI Linux packages forks-felickz/github-changelog-reader#229
starlein
added a commit that references this issue last week
Github signing key rotation
Verified
8bb8e94
starlein
mentioned this last week
Github signing key rotation paperclipai/paperclip#3212
greptile-apps
mentioned this last week
fix: update GitHub CLI GPG keyring checksum paperclipai/paperclip#3234
Mockup
GitHub CLI 2.90.0 Latest
@github-actions github-actions released this 5 hours ago
v2.90.0
26d2302
Manage agent skills with gh skill (Public Preview)
Agent skills are portable sets of instructions, scripts, and resources that teach AI coding agents how to perform specific tasks. The new gh skill command makes it easy to discover, install, manage, and publish agent skills from GitHub repositories - right from the CLI.
Discover skills
gh skill search copilot
Preview a skill without installing
gh skill preview github/awesome-copilot documentation-writer
Install a skill
gh skill install github/awesome-copilot documentation-writer
Pin to a specific version
gh skill install github/awesome-copilot documentation-writer --pin v1.2.0
Check installed skills for updates
gh skill update --all
Validate and publish your own skills
gh skill publish --dry-run
Skills are automatically installed to the correct directory for your agent host. gh skill supports GitHub Copilot, Claude Code, Cursor, Codex, Gemini CLI, and Antigravity. Target a specific agent and scope with --agent and --scope flags.
gh skill publish validates skills against the Agent Skills specification and checks remote settings like tag protection and immutable releases to improve supply chain security.
Read the full announcement on the GitHub Blog.
gh skill is launching in public preview and is subject to change without notice.
Official extension suggestions
When you run a command that matches a known official extension that isn't installed (e.g. gh stack), the CLI now offers to install it instead of showing a generic "unknown command" error.
This feature is available for github/gh-aw and github/gh-stack.
When possible, you'll be prompted to install immediately. When prompting isn't possible, the CLI prints the gh extension install command to run.
gh extension install no longer requires authentication
gh extension install previously required a valid auth token even though it only needs to download a public release asset. The auth check has been removed, so you can install extensions without being logged in.
What's Changed
✨ Features
Add gh skill command group: install, preview, search, update, publish by @SamMorrowDrums in #13165
Suggest and install official extensions for unknown commands by @BagToad in #13175
gh skill publish: auto-push unpushed commits before publish by @SamMorrowDrums in #13171
Disable auth check for gh extension install by @BagToad in #13176
🐛 Fixes
Fix infinite loop in gh release list --limit 0 by @Bahtya in #13097
Ensure api and auth commands record agentic invocations by @williammartin in #13046
Disable auth check for local-only skill flags by @SamMorrowDrums in #13173
URL-encode parentPath in skills discovery API call by @SamMorrowDrums in #13172
Fix: use target directory remotes in skills publish by @SamMorrowDrums in #13169
Fix: preserve namespace in skills search deduplication by @SamMorrowDrums in #13170
📚 Docs & Chores
docs: include PGP key fingerprints by @babakks in #13112
docs: add sha/md5 checksums of keyring files by @babakks in #13150
docs: fix SHA512 checksum for GPG key by @timsu92 in #13157
docs(skill): polish skill commandset docs by @babakks in #13183
Document dependency CVE policy in SECURITY.md by @BagToad in #13119
Replace github.com/golang/snappy with klauspost/compress/snappy by @thaJeztah in #13048
chore: bump to go1.26.2 by @babakks in #13116
chore: delete experimental script/debian-devel by @babakks in #13127
Suggest first party extensions by @williammartin in #13182
Add cli/skill-reviewers as CODEOWNERS for skills packages by @BagToad in #13189
Add @cli/code-reviewers to all CODEOWNERS rules by @BagToad in #13190
Address post-merge review feedback for skills commands by @SamMorrowDrums in #13185
Fix skills-publish-dry-run acceptance test error message mismatch by @SamMorrowDrums in #13187
Skills: replace real git in publish tests with CommandStubber by @SamMorrowDrums in #13188
Remove redundant nil-client fallback in skills publish by @SamMorrowDrums in #13168
Publish: use shared discovery logic instead of requiring skills/ directory by @SamMorrowDrums in #13167
Dependencies
chore(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5 by @dependabot[bot] in #13071
chore(deps): bump github.com/yuin/goldmark from 1.7.16 to 1.8.2 by @dependabot[bot] in #13045
chore(deps): bump charm.land/bubbles/v2 from 2.0.0 to 2.1.0 by @dependabot[bot] in #13051
chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 by @dependabot[bot] in #13152
chore(deps): bump github.com/google/go-containerregistry from 0.21.3 to 0.21.4 by @dependabot[bot] in #13129
chore(deps): bump github.com/sigstore/protobuf-specs from 0.5.0 to 0.5.1 by @dependabot[bot] in #13128
chore(deps): bump github.com/in-toto/attestation from 1.1.2 to 1.2.0 by @dependabot[bot] in #13044
chore(deps): bump advanced-security/filter-sarif from 1.0.1 to 1.1 by @dependabot[bot] in #12918
chore(deps): bump google.golang.org/grpc from 1.79.3 to 1.80.0 by @dependabot[bot] in #13076
chore(deps): bump github.com/hashicorp/go-version from 1.8.0 to 1.9.0 by @dependabot[bot] in #13065
New Contributors
@thaJeztah made their first contribution in #13048
@Bahtya made their first contribution in #13097
@timsu92 made their first contribution in #13157
@SamMorrowDrums made their first contribution in #13173
Full Changelog: v2.89.0...v2.90.0
Contributors
@williammartin
@thaJeztah
@SamMorrowDrums
@dependabot
@timsu92
@Bahtya
@babakks
@BagToad
williammartin, thaJeztah, and 6 other contributors
Assets
24
GitHub CLI 2.90.0 checksums
1.9 KB
5 hours ago
GitHub CLI 2.90.0 linux 386 deb
12.8 MB
5 hours ago
GitHub CLI 2.90.0 linux 386 RPM
13.3 MB
5 hours ago
GitHub CLI 2.90.0 linux 386
12.7 MB
5 hours ago
GitHub CLI 2.90.0 linux amd64 deb
13.6 MB
5 hours ago
GitHub CLI 2.90.0 linux amd64 RPM
14.2 MB
5 hours ago
GitHub CLI 2.90.0 linux amd64
13.6 MB
5 hours ago
GitHub CLI 2.90.0 linux arm64 deb
12.4 MB
5 hours ago
GitHub CLI 2.90.0 linux arm64 RPM
12.8 MB
5 hours ago
GitHub CLI 2.90.0 linux arm64
12.3 MB
5 hours ago
GitHub CLI 2.90.0 linux armv6 deb
12.9 MB
5 hours ago
GitHub CLI 2.90.0 linux armv6 RPM
13.3 MB
5 hours ago
GitHub CLI 2.90.0 linux armv6
12.8 MB
5 hours ago
GitHub CLI 2.90.0 macOS amd64
14.2 MB
5 hours ago
GitHub CLI 2.90.0 macOS arm64
12.9 MB
5 hours ago
GitHub CLI 2.90.0 macOS universal
26.3 MB
5 hours ago
GitHub CLI 2.90.0 windows 386 installer
13.4 MB
5 hours ago
GitHub CLI 2.90.0 windows 386
13.1 MB
5 hours ago
GitHub CLI 2.90.0 windows amd64 installer
14 MB
5 hours ago
GitHub CLI 2.90.0 windows amd64
13.7 MB
5 hours ago
GitHub CLI 2.90.0 windows arm64 installer
12.5 MB
5 hours ago
GitHub CLI 2.90.0 windows arm64
12.3 MB
5 hours ago
Source code
(zip)
6 hours ago
Source code
(tar.gz)
Link to issue for design submission
Acerca de GitHubSkip to content
Navigation Menu
Dashboard
Construyamos a partir de aquí
La plataforma integral para desarrollar, escalar y entregar software seguro.
150M+ Desarrolladores
4M+ Organizaciones
420M+ Repositorios
90 % Fortune 100
Blog
Infórmate sobre innovaciones y actualizaciones de productos, anuncios de la empresa, historias destacadas de la comunidad y mucho más.
Aprende más
Recursos de la marca
¿Quieres usar a Mona, la octogata? ¿Quieres mostrar correctamente el logotipo de GitHub en tu proyecto más reciente? Descarga los recursos y consulta cómo y dónde usarlos.
Aprende más
Historias de la comunidad
Cada día, las personas desarrolladoras construyen el futuro en GitHub. Conoce sus historias, celebra sus logros e inspírate para tus propios proyectos.
Aprende más
Historias de clientes
Descubre cómo algunas de las empresas más influyentes del mundo usan GitHub para ofrecer los mejores servicios, productos y experiencias a sus clientes.
Aprende más
Trabajos
Ayúdanos a construir el hogar para todas las personas desarrolladoras. Somos un grupo de personas apasionadas por el desarrollo de software y la colaboración. ¡Únete a nosotros!
Aprende más
GitHub Status
Supervisamos de forma continua el estado de github.com y todos sus servicios relacionados. Las actualizaciones y las interrupciones del estado se publican aquí en tiempo real.
Aprende más
Liderazgo
Conoce al equipo de liderazgo que nos guía en este camino para construir la plataforma de desarrollo de software más grande y avanzada del mundo.
Aprende más
Octoverso
Explora a fondo nuestro informe anual Estado del Octoverso, que analiza las tendencias y patrones del código y las comunidades que se desarrollan en GitHub.
Aprende más
Política
Nos enfocamos en defender los derechos de quienes se dedican al desarrollo mediante la formulación de políticas que promuevan sus intereses y el futuro del software.
Aprende más
Prensa
Explora las noticias más recientes sobre nuestra empresa, productos y comunidad global.
Aprende más
Impacto social
Descubre cómo las personas, los productos y la plataforma de GitHub impulsan un cambio positivo y duradero en todo el mundo.
Aprende más
Proposed Design
cli
cli
Repository navigation
Code
Issues
923
(923)
Pull requests
34
(34)
Agents
Discussions
Actions
Projects
Security and quality
5
(5)
Insights
Upcoming PGP signing key rotation for GitHub CLI Linux packages #13118
Open
Open
Upcoming PGP signing key rotation for GitHub CLI Linux packages
#13118
@babakks
Description
babakks
opened last week · edited by babakks
Member
Note
This issue only affects Linux users who install gh from our APT or RPM package repositories. If you are on Windows or macOS, or you installed gh via Homebrew, GitHub Releases, or built from source code, this does not apply to you.
What's happening?
Am I affected?
How to confirm locally installed keyring?
Debian/Ubuntu
RHEL/Fedora/CentOS/openSUSE/SUSE/Amazon Linux 2
What do I need to do?
New users
Existing APT users (Debian/Ubuntu)
Docker build failing?
Existing RPM users (Fedora, RHEL, CentOS, Amazon Linux 2, openSUSE/SUSE)
DNF5 (Fedora 41 or newer)
DNF4 (CentOS, RHEL, Fedora 40 or earlier)
Yum (Amazon Linux 2)
Zypper (openSUSE/SUSE)
Removing old key from RPM keyrings
Background
Final notes
What's happening?
The PGP key currently used to verify GitHub CLI Linux packages is expiring on Saturday, September 5, 2026. We have generated a new key and have already published an updated keyring file that contains both the old and new keys on Wednesday, April 8, 2026. This table lists the current and the new PGP key fingerprint:
Key Fingerprint
Current key (expires September 5, 2026) 2C6106201985B60E6C7AC87323F3D4EA75716059
New key 7F38BBB59D064DBCB3D84D725612B36462313325
As a background, back in September 2024, our PGP signing key expired (#9569), disrupting Linux package installs and updates. At that time, we extended the expiration of the existing key as an emergency fix. This time, however, we are proactively rotating to a brand-new key well ahead of the expiry date.
Check out Am I affected? below to see if you are going to be affected by this change. For affected users, package install and update operations that rely on the old key will start failing after the expiry date unless you follow the steps outlined in this document. Typical error/warning messages look like any of the following:
W: Failed to fetch https://cli.github.com/packages/dists/stable/InRelease The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI opensource+cli@github.com The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 5612B36462313325
Transaction failed: Signature verification failed.
OpenPGP check for package ... from repo "gh-cli" has failed: Import of the key didn't help, wrong key?
The GPG keys listed for the "packages for the GitHub CLI" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: gh...
GPG Keys are configured as: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x23F3D4EA75716059
...
Error: GPG check FAILED
The GPG keys listed for the "packages for the GitHub CLI" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.
Failing package is: gh...
GPG Keys are configured as: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x23F3D4EA75716059
Warning: File 'repomd.xml' from repository 'packages for the GitHub CLI' is signed with an unknown key '5612B36462313325'
...
Warning: We can't verify that no one meddled with this file, so it might not be
trustworthy anymore! You should not continue unless you know it's safe.
...
Repository 'packages for the GitHub CLI' is invalid.
[gh-cli|https://cli.github.com/packages/rpm] Valid metadata not found at specified URL
History:
gh-... (packages for the GitHub CLI): Signature verification failed [4-Signatures public key is not available]
Warning: File 'repomd.xml' from repository 'packages for the GitHub CLI' is signed with an unknown key '5612B36462313325'
...
Warning: We can't verify that no one meddled with this file, so it might not be
trustworthy anymore! You should not continue unless you know it's safe.
...
Repository 'packages for the GitHub CLI' is invalid.
[gh-cli|https://cli.github.com/packages/rpm] Failed to retrieve new repository metadata.
History:
error: Verifying a signature using certificate 2C6106201985B60E6C7AC87323F3D4EA75716059 (GitHub CLI opensource+cli@github.com):
because: The primary key is not live
because: Expired on 2026-09-05T12:44:10Z
because: The primary key is not live
because: Expired on 2026-09-05T12:44:10Z
Am I affected?
Scenario Affected?
You cannot install or upgrade gh Probably. See Existing APT users or Existing RPM users.
Installed gh via apt before the new keyring was published (April 8, 2026) and haven't re-run the installation steps since Yes. See Existing APT users.
Installed gh via dnf, yum, or zypper before the new keyring was published (April 8, 2026) and haven't re-run the installation steps since Yes. See Existing RPM users.
Installed gh using official docs after the new keyring was published (April 8, 2026) No. Your keyring already contains the new key.
Installed gh via Homebrew, Conda, a community package manager, or from precompiled binaries No. These methods do not use our PGP key.
You do not remember when you installed gh See How to confirm locally installed keyring?
How to confirm locally installed keyring?
If you do not remember when you installed gh from the official docs, you can easily confirm if you are going to be affected by checking your local configuration. Follow the subsection that applies to you.
Debian/Ubuntu
Tip
If gpg is not installed, you can install it with:
sudo apt update
sudo apt install gnupg
Check how many keys are in your local keyring file:
gpg --show-keys /etc/apt/keyrings/githubcli-archive-keyring.gpg
Tip
If the file is not found at that path, try the older location:
gpg --show-keys /usr/share/keyrings/githubcli-archive-keyring.gpg
If you still cannot find the keyring file, check your APT source entry to see the path it references:
cat /etc/apt/sources.list.d/github-cli.list
Look for the signed-by= value in the output, which points to your keyring file path.
If the output shows two public key entries (with fingerprints 2C6106201985B60E6C7AC87323F3D4EA75716059 and 7F38BBB59D064DBCB3D84D725612B36462313325), you already have the updated keyring and no action is needed. This is what the output should look like:
pub rsa4096 2022-09-06 [SC] [expires: 2026-09-05]
2C6106201985B60E6C7AC87323F3D4EA75716059
uid GitHub CLI opensource+cli@github.com
sub rsa4096 2022-09-06 [E] [expires: 2026-09-05]
pub rsa4096 2026-04-07 [SC]
7F38BBB59D064DBCB3D84D725612B36462313325
uid GitHub CLI opensource+cli@github.com
sub rsa4096 2026-04-07 [E]
If only one key is listed (the old key 2C6106201985B60E6C7AC87323F3D4EA75716059), you need to update your keyring. See Existing APT users.
RHEL/Fedora/CentOS/openSUSE/SUSE/Amazon Linux 2
Check which GitHub CLI keys are imported in your RPM keyring:
rpm -qa gpg-pubkey | xargs -I{} sh -c 'rpm -qi {} | grep -q "opensource+cli@github.com" && echo {}'
If the output includes only one entry (the old key), you will need to update. See Existing RPM users.
If you see a second key entry, your system already has the new key and no action is needed.
What do I need to do?
New users
If you are installing gh for the first time, simply follow the standard Linux installation instructions. The current keyring file already contains the new key, so no extra steps are needed. This also applies if you installed gh for the first time after the new keyring was published (April 8, 2026).
Existing APT users (Debian/Ubuntu)
You need to replace your local copy of the keyring file. Run either of the following commands to download the updated keyring:
Using wget
sudo mkdir -p -m 755 /etc/apt/keyrings
sudo wget -qO /etc/apt/keyrings/githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg
&& sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
Using curl
sudo mkdir -p -m 755 /etc/apt/keyrings
sudo curl -fsSL -o /etc/apt/keyrings/githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg
&& sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
Then update your package lists and upgrade gh:
sudo apt update
sudo apt install gh
Note
If your keyring file is located elsewhere (e.g., under /usr/share/keyrings/), you should update that path in the command above. However, the recommended location is /etc/apt/keyrings/. Regardless of the path, make sure the signed-by field in the APT source entry (at /etc/apt/sources.list.d/github-cli.list) points at the right keyring file.
Tip
You can verify the updated keyring contains both keys by running:
gpg --show-keys /etc/apt/keyrings/githubcli-archive-keyring.gpg
You should see an output like this:
pub rsa4096 2022-09-06 [SC] [expired: 2026-09-05]
2C6106201985B60E6C7AC87323F3D4EA75716059
uid GitHub CLI opensource+cli@github.com
sub rsa4096 2022-09-06 [E] [expired: 2026-09-05]
pub rsa4096 2026-04-07 [SC]
7F38BBB59D064DBCB3D84D725612B36462313325
uid GitHub CLI opensource+cli@github.com
sub rsa4096 2026-04-07 [E]
Docker build failing?
If your Docker build is failing because a layer previously added our package repository and a later layer runs apt update or apt-get update, you need to ensure the updated keyring is present.
If you control the layer that adds the keyring, rebuild it so it pulls the latest keyring file.
If you don't control that layer, add a new layer before any apt update or apt-get update that fetches the updated keyring:
RUN wget -qO /etc/apt/keyrings/githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg
&& chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
Or if you prefer using curl:
RUN curl -fsSL -o /etc/apt/keyrings/githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg
&& chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
If you don't use gh at all and it just happens to be in a base image, you can remove the repository so that apt update or apt-get update no longer try to verify it:
sudo rm /etc/apt/sources.list.d/github-cli.list
Existing RPM users (Fedora, RHEL, CentOS, Amazon Linux 2, openSUSE/SUSE)
RPM-based systems import PGP keys into their own keyring at install time. To pick up the new key, you need to re-fetch the repository configuration file, which now references an updated keyring. Choose the instructions matching your package manager below.
Note that when upgrading gh at the end, your package manager will prompt you to confirm importing the PGP keys. Verify that the key fingerprints match the following:
Old key: 2C6106201985B60E6C7AC87323F3D4EA75716059
New key: 7F38BBB59D064DBCB3D84D725612B36462313325
Important
Instructions below mimic our Linux installation guide. So, please make sure you follow the heading that you originally used to install gh.
DNF5 (Fedora 41 or newer)
Tip
Run dnf --version if you are unsure what version you are using.
Note
Ensure the config-manager plugin is installed (for example, sudo dnf install dnf5-plugins).
sudo dnf config-manager addrepo --overwrite --from-repofile=https://cli.github.com/packages/rpm/gh-cli.repo
sudo dnf update gh
DNF4 (CentOS, RHEL, Fedora 40 or earlier)
Tip
Run dnf --version if you are unsure what version you are using.
Note
Ensure the config-manager plugin is installed (for example, sudo dnf install 'dnf-command(config-manager)').
sudo dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
sudo dnf update gh
Yum (Amazon Linux 2)
Note
Ensure the config-manager plugin is installed (for example, sudo yum install yum-utils).
sudo yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
sudo yum update gh
Zypper (openSUSE/SUSE)
sudo zypper removerepo gh-cli
sudo zypper addrepo https://cli.github.com/packages/rpm/gh-cli.repo
sudo zypper update gh
Removing old key from RPM keyrings
If you still encounter key verification errors after re-adding the repository, you may need to remove the old key from the RPM keyring first:
Find the old PGP key:
sudo rpm -qa gpg-pubkey
Our old PGP key is usually named gpg-pubkey-75716059-63172e8a or gpg-pubkey-2c6106201985b60e6c7ac87323f3d4ea75716059-63172e8a. You can confirm the correct key by checking its Packager field:
sudo rpm -qi gpg-pubkey-75716059-63172e8a
or
sudo rpm -qi gpg-pubkey-2c6106201985b60e6c7ac87323f3d4ea75716059-63172e8a
The Packager should be GitHub CLI opensource+cli@github.com.
Once you have confirmed the Packager, remove the old PGP key:
sudo rpm -e gpg-pubkey-75716059-63172e8a
or
sudo rpm -e gpg-pubkey-2c6106201985b60e6c7ac87323f3d4ea75716059-63172e8a
Then remove and reinstall gh:
sudo dnf remove gh
sudo dnf install gh
(Replace dnf with yum or zypper as appropriate.)
Background
In September 2024, our PGP signing key expired (#9569), disrupting Linux package installs and updates. At that time, we extended the expiration of the existing key as an emergency fix.
This time, we are proactively rotating to a brand-new key well ahead of the expiry date. The updated keyring files (binary .gpg and ASCII armored .asc) already contain both the old and new keys, so anyone who has installed gh following our Linux installation instructions since April 8, 2026, is already covered.
Final notes
We apologize for any inconvenience this may cause. By announcing well in advance, we hope to give everyone enough time to update their keyring before the old key expires.
If you run into any problems, please follow up on this issue and we'll do our best to help.
Thank you for your patience and for using GitHub CLI!
Activity
babakks
added
enhancement
a request to improve CLI
packaging
last week
github-actions
added
needs-triage
needs to be reviewed
last week
cli
deleted a comment from github-actions last week
babakks
removed
needs-triage
needs to be reviewed
last week
babakks
pinned this issue last week
github-actions
mentioned this in 3 issues last week
GitHub Changelog:New PGP signing key for GitHub CLI Linux packages renefritze/github-changelog-reader#483
GitHub Changelog:New PGP signing key for GitHub CLI Linux packages abirismyname/github-changelog-reader#872
GitHub Changelog:New PGP signing key for GitHub CLI Linux packages forks-felickz/github-changelog-reader#229
starlein
added a commit that references this issue last week
Github signing key rotation
Verified
8bb8e94
starlein
mentioned this last week
Github signing key rotation paperclipai/paperclip#3212
greptile-apps
mentioned this last week
fix: update GitHub CLI GPG keyring checksum paperclipai/paperclip#3234
Mockup
GitHub CLI 2.90.0 Latest@github-actions github-actions released this 5 hours ago
v2.90.0
26d2302
Manage agent skills with gh skill (Public Preview)
Agent skills are portable sets of instructions, scripts, and resources that teach AI coding agents how to perform specific tasks. The new gh skill command makes it easy to discover, install, manage, and publish agent skills from GitHub repositories - right from the CLI.
Discover skills
gh skill search copilot
Preview a skill without installing
gh skill preview github/awesome-copilot documentation-writer
Install a skill
gh skill install github/awesome-copilot documentation-writer
Pin to a specific version
gh skill install github/awesome-copilot documentation-writer --pin v1.2.0
Check installed skills for updates
gh skill update --all
Validate and publish your own skills
gh skill publish --dry-run
Skills are automatically installed to the correct directory for your agent host. gh skill supports GitHub Copilot, Claude Code, Cursor, Codex, Gemini CLI, and Antigravity. Target a specific agent and scope with --agent and --scope flags.
gh skill publish validates skills against the Agent Skills specification and checks remote settings like tag protection and immutable releases to improve supply chain security.
Read the full announcement on the GitHub Blog.
gh skill is launching in public preview and is subject to change without notice.
Official extension suggestions
When you run a command that matches a known official extension that isn't installed (e.g. gh stack), the CLI now offers to install it instead of showing a generic "unknown command" error.
This feature is available for github/gh-aw and github/gh-stack.
When possible, you'll be prompted to install immediately. When prompting isn't possible, the CLI prints the gh extension install command to run.
gh extension install no longer requires authentication
gh extension install previously required a valid auth token even though it only needs to download a public release asset. The auth check has been removed, so you can install extensions without being logged in.
What's Changed
Dependencies
✨ Features
Add gh skill command group: install, preview, search, update, publish by @SamMorrowDrums in #13165
Suggest and install official extensions for unknown commands by @BagToad in #13175
gh skill publish: auto-push unpushed commits before publish by @SamMorrowDrums in #13171
Disable auth check for gh extension install by @BagToad in #13176
🐛 Fixes
Fix infinite loop in gh release list --limit 0 by @Bahtya in #13097
Ensure api and auth commands record agentic invocations by @williammartin in #13046
Disable auth check for local-only skill flags by @SamMorrowDrums in #13173
URL-encode parentPath in skills discovery API call by @SamMorrowDrums in #13172
Fix: use target directory remotes in skills publish by @SamMorrowDrums in #13169
Fix: preserve namespace in skills search deduplication by @SamMorrowDrums in #13170
📚 Docs & Chores
docs: include PGP key fingerprints by @babakks in #13112
docs: add sha/md5 checksums of keyring files by @babakks in #13150
docs: fix SHA512 checksum for GPG key by @timsu92 in #13157
docs(skill): polish skill commandset docs by @babakks in #13183
Document dependency CVE policy in SECURITY.md by @BagToad in #13119
Replace github.com/golang/snappy with klauspost/compress/snappy by @thaJeztah in #13048
chore: bump to go1.26.2 by @babakks in #13116
chore: delete experimental script/debian-devel by @babakks in #13127
Suggest first party extensions by @williammartin in #13182
Add cli/skill-reviewers as CODEOWNERS for skills packages by @BagToad in #13189
Add @cli/code-reviewers to all CODEOWNERS rules by @BagToad in #13190
Address post-merge review feedback for skills commands by @SamMorrowDrums in #13185
Fix skills-publish-dry-run acceptance test error message mismatch by @SamMorrowDrums in #13187
Skills: replace real git in publish tests with CommandStubber by @SamMorrowDrums in #13188
Remove redundant nil-client fallback in skills publish by @SamMorrowDrums in #13168
Publish: use shared discovery logic instead of requiring skills/ directory by @SamMorrowDrums in #13167
chore(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5 by @dependabot[bot] in #13071
chore(deps): bump github.com/yuin/goldmark from 1.7.16 to 1.8.2 by @dependabot[bot] in #13045
chore(deps): bump charm.land/bubbles/v2 from 2.0.0 to 2.1.0 by @dependabot[bot] in #13051
chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 by @dependabot[bot] in #13152
chore(deps): bump github.com/google/go-containerregistry from 0.21.3 to 0.21.4 by @dependabot[bot] in #13129
chore(deps): bump github.com/sigstore/protobuf-specs from 0.5.0 to 0.5.1 by @dependabot[bot] in #13128
chore(deps): bump github.com/in-toto/attestation from 1.1.2 to 1.2.0 by @dependabot[bot] in #13044
chore(deps): bump advanced-security/filter-sarif from 1.0.1 to 1.1 by @dependabot[bot] in #12918
chore(deps): bump google.golang.org/grpc from 1.79.3 to 1.80.0 by @dependabot[bot] in #13076
chore(deps): bump github.com/hashicorp/go-version from 1.8.0 to 1.9.0 by @dependabot[bot] in #13065
New Contributors
@thaJeztah made their first contribution in #13048
@Bahtya made their first contribution in #13097
@timsu92 made their first contribution in #13157
@SamMorrowDrums made their first contribution in #13173
Full Changelog: v2.89.0...v2.90.0
Contributors
@williammartin
@thaJeztah
@SamMorrowDrums
@dependabot
@timsu92
@Bahtya
@babakks
@BagToad
williammartin, thaJeztah, and 6 other contributors
Assets
24
GitHub CLI 2.90.0 checksums
1.9 KB
5 hours ago
GitHub CLI 2.90.0 linux 386 deb
12.8 MB
5 hours ago
GitHub CLI 2.90.0 linux 386 RPM
13.3 MB
5 hours ago
GitHub CLI 2.90.0 linux 386
12.7 MB
5 hours ago
GitHub CLI 2.90.0 linux amd64 deb
13.6 MB
5 hours ago
GitHub CLI 2.90.0 linux amd64 RPM
14.2 MB
5 hours ago
GitHub CLI 2.90.0 linux amd64
13.6 MB
5 hours ago
GitHub CLI 2.90.0 linux arm64 deb
12.4 MB
5 hours ago
GitHub CLI 2.90.0 linux arm64 RPM
12.8 MB
5 hours ago
GitHub CLI 2.90.0 linux arm64
12.3 MB
5 hours ago
GitHub CLI 2.90.0 linux armv6 deb
12.9 MB
5 hours ago
GitHub CLI 2.90.0 linux armv6 RPM
13.3 MB
5 hours ago
GitHub CLI 2.90.0 linux armv6
12.8 MB
5 hours ago
GitHub CLI 2.90.0 macOS amd64
14.2 MB
5 hours ago
GitHub CLI 2.90.0 macOS arm64
12.9 MB
5 hours ago
GitHub CLI 2.90.0 macOS universal
26.3 MB
5 hours ago
GitHub CLI 2.90.0 windows 386 installer
13.4 MB
5 hours ago
GitHub CLI 2.90.0 windows 386
13.1 MB
5 hours ago
GitHub CLI 2.90.0 windows amd64 installer
14 MB
5 hours ago
GitHub CLI 2.90.0 windows amd64
13.7 MB
5 hours ago
GitHub CLI 2.90.0 windows arm64 installer
12.5 MB
5 hours ago
GitHub CLI 2.90.0 windows arm64
12.3 MB
5 hours ago
Source code
(zip)
6 hours ago
Source code
(tar.gz)