Skip to content

fix: replace md5 with sha256 for FIPS-compliant cache key generation#765

Open
octo-patch wants to merge 1 commit into
TheR1D:mainfrom
octo-patch:fix/issue-701-fips-sha256-cache
Open

fix: replace md5 with sha256 for FIPS-compliant cache key generation#765
octo-patch wants to merge 1 commit into
TheR1D:mainfrom
octo-patch:fix/issue-701-fips-sha256-cache

Conversation

@octo-patch
Copy link
Copy Markdown

@octo-patch octo-patch commented Apr 20, 2026

Fixes #701

Problem

ShellGPT fails immediately on FIPS-enabled systems because the cache uses MD5 to generate cache keys. MD5 is not approved for use on FIPS 140-2/140-3 compliant systems, causing a ValueError when hashlib.md5() is called.

Solution

Replace md5 with sha256 for cache key generation. SHA-256 is FIPS-compliant and serves the same purpose here — producing a deterministic, fixed-length key from the request parameters. This is a non-cryptographic use case (cache key deduplication), so SHA-256 is a drop-in replacement with no functional difference.

Note: Existing cache files (named with MD5 hashes) will not be matched after this change, so the cache will be cold on first run. Old files will be gradually evicted by the existing _delete_oldest_files cleanup logic.

Testing

  • Verified that the cache key generation works correctly with SHA-256
  • The change is minimal and contained to sgpt/cache.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ShellGPT fails on FIPS-enabled Systems

1 participant

@octo-patch