Host ID

[danielmarbach]

Document the new host identifier algorithm and update the FIPS workaround to use a non-cryptographic hash.

• FIPS compliance: Document the NServiceBus.Core.Hosting.UseV2DeterministicGuid AppContext switch introduced in #7723 that opts into XxHash128-based host identifiers, replacing the legacy MD5 approach. Replace the SHA256 workaround with an XxHash128-based approach using System.IO.Hashing, which targets .NET Standard 2.0 and .NET Framework 4.6.2, making it available on all supported platforms. The snippet produces the same GUID as NServiceBus's internal DeterministicGuid.Create (verified by comparison test).
• v11 upgrade guide: Adds a "Host identifier algorithm change" section documenting the breaking change planned for v11 (#7734), where XxHash128 becomes the default.

Changes

FIPS compliance

• Split the ## NServiceBus section in nservicebus/compliance/fips.md into version-gated partials:
  • fips_host-id-generation_core_[,10).partial.md — Documents the legacy MD5 issue and provides an XxHash128-based workaround using System.IO.Hashing
  • fips_host-id-generation_core_[10,).partial.md — Documents the XxHash128 algorithm, the AppContext switch opt-in (code, environment variable, MSBuild), migration warning, and the legacy XxHash128 override approach
• Replace the SHA256 workaround snippet with XxHash128DeterministicGuid that uses XxHash128 from System.IO.Hashing. SHA256 was replaced because:
  • Host IDs are non-cryptographic identifiers. Using a cryptographic hash for this purpose is unnecessarily expensive.
  • XxHash128 is a non-cryptographic hash not subject to FIPS policy enforcement, making it the appropriate choice for generating deterministic GUIDs on FIPS-enabled systems.
  • System.IO.Hashing targets .NET Standard 2.0 and .NET Framework 4.6.2, so the snippet works on all supported platforms.
  • The snippet uses length-prefixed encoding matching NServiceBus's internal DeterministicGuid.Create to produce identical GUIDs.
• Tone down the FIPS compliance claim in the [10,) partial: scope it specifically to host identifier generation rather than implying general FIPS compliance.
• Deleted the obsolete Sha256DeterministicHash.cs snippet.
• Added System.IO.Hashing package reference to Core_All snippet project.

[Copilot]

Pull request overview

Documents NServiceBus host identifier generation changes related to FIPS environments and prepares users for the planned default switch to XxHash128 in the v11 upgrade guide.

Changes:

• Reworks the FIPS compliance page to use version-gated partials for host ID generation guidance.
• Updates the deterministic GUID workaround snippet from SHA1 to SHA256.
• Adds a v10→v11 upgrade guide section describing the upcoming host identifier algorithm change and the legacy opt-out.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
Snippets/Core/Core_All/Sha256DeterministicHash.cs	Updates the deterministic GUID snippet to use SHA256 and aligns region/class naming with the snippet reference.
nservicebus/upgrades/10to11/index.md	Adds guidance about the v11 default host identifier algorithm change and how to preserve legacy IDs.
nservicebus/compliance/fips.md	Splits host ID generation guidance into a versioned partial for clearer, version-specific instructions.
nservicebus/compliance/fips_host-id-generation_core_[10,).partial.md	Documents the v10.2+ XxHash128 opt-in switch and legacy override context for FIPS scenarios.
nservicebus/compliance/fips_host-id-generation_core_[,10).partial.md	Documents the pre-10 workaround using SHA256-based host ID overrides and clarifies the rationale.