Fix bug in file hashing on FIPS enabled system (#511)

MridulS · web-flow · commit e7e59e91f500 · 2026-01-26T17:59:40.000Z
Set `userforsecurity=False` on `hashlib` hashing algorithms to make FIPS
enabled systems happy.
diff --git a/pooch/hashes.py b/pooch/hashes.py
@@ -78,7 +78,13 @@ def file_hash(fname, alg="sha256"):
         )
     # Calculate the hash in chunks to avoid overloading the memory
     chunksize = 65536
-    hasher = ALGORITHMS_AVAILABLE[alg]()
+    # For hashlib algorithms, use usedforsecurity=False to support FIPS-enabled
+    # systems. xxhash algorithms don't support this parameter.
+    hasher = (
+        ALGORITHMS_AVAILABLE[alg](usedforsecurity=False)
+        if alg in hashlib.algorithms_available
+        else ALGORITHMS_AVAILABLE[alg]()
+    )
     with open(fname, "rb") as fin:
         buff = fin.read(chunksize)
         while buff:
diff --git a/pooch/utils.py b/pooch/utils.py
@@ -347,7 +347,7 @@ def unique_file_name(url: str) -> str:
     181a9d52e908219c2076f55145d6a344-data.txt.gz
 
     """
-    md5 = hashlib.md5(url.encode()).hexdigest()
+    md5 = hashlib.md5(url.encode(), usedforsecurity=False).hexdigest()
     fname = parse_url(url)["path"].split("/")[-1]
     # Crop the start of the file name to fit 255 characters including the hash
     # and the :
