Host ID#8246
Open
danielmarbach wants to merge 5 commits into
Open
Conversation
danielmarbach
requested review from
DavidBoike,
andreasohlund,
Copilot and
mattmercurio
Contributor
There was a problem hiding this comment.
Pull request overview
Documents NServiceBus host identifier generation changes related to FIPS environments and prepares users for the planned default switch to XxHash128 in the v11 upgrade guide.
Changes:
- Reworks the FIPS compliance page to use version-gated partials for host ID generation guidance.
- Updates the deterministic GUID workaround snippet from SHA1 to SHA256.
- Adds a v10→v11 upgrade guide section describing the upcoming host identifier algorithm change and the legacy opt-out.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| Snippets/Core/Core_All/Sha256DeterministicHash.cs | Updates the deterministic GUID snippet to use SHA256 and aligns region/class naming with the snippet reference. |
| nservicebus/upgrades/10to11/index.md | Adds guidance about the v11 default host identifier algorithm change and how to preserve legacy IDs. |
| nservicebus/compliance/fips.md | Splits host ID generation guidance into a versioned partial for clearer, version-specific instructions. |
| nservicebus/compliance/fips_host-id-generation_core_[10,).partial.md | Documents the v10.2+ XxHash128 opt-in switch and legacy override context for FIPS scenarios. |
| nservicebus/compliance/fips_host-id-generation_core_[,10).partial.md | Documents the pre-10 workaround using SHA256-based host ID overrides and clarifies the rationale. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
andreasohlund
approved these changes
May 11, 2026
DavidBoike
reviewed
May 11, 2026
| > FIPS policy enforcement does only exist on .NET Framework. | ||
| > FIPS policy enforcement only exists on .NET Framework. | ||
|
|
||
| The Particular Software Platform is not FIPS compatible, and no testing is done to ensure components will work properly on FIPS-enabled hardware. The platform currently uses `System.Security.Cryptography` classes only for hashing, and not for data security purposes. |
Member
There was a problem hiding this comment.
Do we need an "except where specifically stated" here, given we have a MessagePropertyEncryption component?
|
|
||
| > [!NOTE] | ||
| > FIPS policy enforcement does only exist on .NET Framework. | ||
| > FIPS policy enforcement only exists on .NET Framework. |
Member
There was a problem hiding this comment.
We have seen people running on base containers where SHA1 is missing though. Do we need to mention that?
|
|
||
| ### Migrating from MD5 to XxHash128 host identifiers | ||
|
|
||
| The new XxHash128-based algorithm produces different host identifiers than the legacy MD5-based algorithm. To avoid duplicate endpoint entries in [ServicePulse](/servicepulse/) after upgrading, the legacy MD5 algorithm remains the default in version 10.2. |
Member
There was a problem hiding this comment.
Suggested change
| The new XxHash128-based algorithm produces different host identifiers than the legacy MD5-based algorithm. To avoid duplicate endpoint entries in [ServicePulse](/servicepulse/) after upgrading, the legacy MD5 algorithm remains the default in version 10.2. | |
| The XxHash128-based algorithm produces different host identifiers than the legacy MD5-based algorithm. In version 10.2, the legacy MD5 algorithm remains the default, in order to avoid duplicate endpoint entries in [the ServicePulse Heartbeats view](/monitoring/heartbeats/in-servicepulse.md) after upgrading. |
| <PackageReference Include="NUnit3TestAdapter" Version="5.*" /> | ||
| <PackageReference Include="OpenTelemetry" Version="1.*" /> | ||
| <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.*" /> | ||
| <PackageReference Include="System.IO.Hashing" Version="10.*" /> |
Member
There was a problem hiding this comment.
The updated alpha will bring this in though, right?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Document the new host identifier algorithm and update the FIPS workaround to use a non-cryptographic hash.
NServiceBus.Core.Hosting.UseV2DeterministicGuidAppContext switch introduced in #7723 that opts into XxHash128-based host identifiers, replacing the legacy MD5 approach. Replace the SHA256 workaround with an XxHash128-based approach usingSystem.IO.Hashing, which targets .NET Standard 2.0 and .NET Framework 4.6.2, making it available on all supported platforms. The snippet produces the same GUID as NServiceBus's internalDeterministicGuid.Create(verified by comparison test).Changes
FIPS compliance
## NServiceBussection innservicebus/compliance/fips.mdinto version-gated partials:fips_host-id-generation_core_[,10).partial.md— Documents the legacy MD5 issue and provides an XxHash128-based workaround usingSystem.IO.Hashingfips_host-id-generation_core_[10,).partial.md— Documents the XxHash128 algorithm, the AppContext switch opt-in (code, environment variable, MSBuild), migration warning, and the legacy XxHash128 override approachXxHash128DeterministicGuidthat uses XxHash128 fromSystem.IO.Hashing. SHA256 was replaced because:System.IO.Hashingtargets .NET Standard 2.0 and .NET Framework 4.6.2, so the snippet works on all supported platforms.DeterministicGuid.Createto produce identical GUIDs.[10,)partial: scope it specifically to host identifier generation rather than implying general FIPS compliance.Sha256DeterministicHash.cssnippet.System.IO.Hashingpackage reference toCore_Allsnippet project.