You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .github/SECURITY.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,6 +11,8 @@ If you believe you have found a security vulnerability in GitHub CLI, you can re
11
11
12
12
**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
13
13
14
+
A dependency having a CVE does not mean `gh` has a vulnerability. We use [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) to determine whether vulnerable symbols are actually reachable from `gh`'s code. If you are reporting a dependency CVE, please include evidence that the issue is exploitable in `gh`: a call chain into the affected symbols or a proof of concept. Reports that only list a dependency version and CVE without demonstrating impact will be closed.
Copy file name to clipboardExpand all lines: docs/install_linux.md
+44Lines changed: 44 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,6 +2,34 @@
2
2
3
3
## Recommended _(Official)_
4
4
5
+
> [!IMPORTANT]
6
+
> Our Linux packages and repository metadata are signed with the following PGP key fingerprints:
7
+
> -`2C6106201985B60E6C7AC87323F3D4EA75716059`
8
+
> -`7F38BBB59D064DBCB3D84D725612B36462313325`
9
+
>
10
+
> You may be prompted to confirm the import of these keys during installation.
11
+
>
12
+
> <details><summary>Expand for SHA256/SHA512/MD5 checksums of our official keyring files.</summary>
13
+
> <p>
14
+
>
15
+
> **For security reasons, it is strongly recommended to only rely on SHA256/SHA512 checksums. MD5 checksums below are only for legacy systems where SHA256/SHA512 tooling is not available.**
RPM packages are hosted on the [GitHub CLI marketing site](https://cli.github.com) for various operating systems including:
@@ -46,6 +81,15 @@ RPM packages are hosted on the [GitHub CLI marketing site](https://cli.github.co
46
81
47
82
These packages are supported by the GitHub CLI maintainers with updates powered by [GitHub CLI deployment workflow](https://github.com/cli/cli/actions/workflows/deployment.yml).
48
83
84
+
> [!TIP]
85
+
> During installation, you may be prompted to confirm the import of PGP keys. You can verify the keys with the list of fingerprints at the top of this document.
86
+
>
87
+
> To verify the PGP keys before installing `gh`, you can run the following command and match the listed fingerprints with those at the top of this document:
0 commit comments