Fix pulp_hashlib.new() on FIPS systems

[kush-gupt]

Summary

• Add usedforsecurity=False to pulp_hashlib.new() so FIPS-disallowed algorithms (e.g. md5, sha1) used for content addressing no longer raise UnsupportedDigestmodError.
• All hashes from this wrapper are for content addressing (storage paths, dedup, manifest IDs), never for cryptographic security. setdefault preserves any explicit usedforsecurity=True a caller might pass.
• Validated on a FIPS-enabled RHEL 9.7 VM running Satellite 6.18: manifest upload returned UnsupportedDigestmodError before the fix, HTTP 201 after.

Checklist

• Commits are squashed to one
• A changelog entry has been added
• Follows the Pulp policy on AI Usage

closes #7434

See also: pulp/pulp_container#2256

Made with Cursor

[daviddavis]

I don't think this change is necessary. I think the Satellite RPMs ship a patch that sets usedforsecurity=True as needed.

That said, it's been a very long time since I worked on this so maybe things have changed.

[kush-gupt]

Closing this — @daviddavis is right, Satellite already ships a downstream patch for pulp_hashlib that handles md5 with usedforsecurity=False. Re-verified on a FIPS RHEL 9.7 VM: the pulp_container fix alone (pulp/pulp_container#2258) is sufficient. Thanks for the pointer!