cmd/internal/hash: stop using md5, sha1

These break if the tools are run with GODEBUG=fips140=only,
which happens if someone sets that during 'go test' (and a test
binary must be built).

The easiest fix is to make the tools compatible with this GODEBUG
by just using sha256 as the underlying hash always. Just in case,
I made the wrappers select different sections of the hash, but
none of the call sites really care.

This CL is for the Go 1.24 release, but a follow-up during the Go 1.25
dev cycle could change all the usage sites to only use Sum32/New32.

For #70514
Fixes #70878

Change-Id: Id5fea779c83df51d1680dbe561e0949c56e8d1e5
Reviewed-on: https://go-review.googlesource.com/c/go/+/641096
Reviewed-by: Keith Randall <khr@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Keith Randall <khr@google.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/src/internal/pkgbits/encoder.go b/src/internal/pkgbits/encoder.go
index c17a12399d..015842f58c 100644
--- a/src/internal/pkgbits/encoder.go
+++ b/src/internal/pkgbits/encoder.go
@@ -6,7 +6,7 @@ package pkgbits
 
 import (
 	"bytes"
-	"crypto/md5"
+	"crypto/sha256"
 	"encoding/binary"
 	"go/constant"
 	"io"
@@ -55,7 +55,7 @@ func NewPkgEncoder(version Version, syncFrames int) PkgEncoder {
 // DumpTo writes the package's encoded data to out0 and returns the
 // package fingerprint.
 func (pw *PkgEncoder) DumpTo(out0 io.Writer) (fingerprint [8]byte) {
-	h := md5.New()
+	h := sha256.New()
 	out := io.MultiWriter(out0, h)
 
 	writeUint32 := func(x uint32) {