If you write .NET software that cryptographically validates signatures, e.g. you verify a customer’s license at runtime, be aware of issues when the check runs on US government-certified FIPS-enabled computers.
Chances are that you run Sha256Managed algorithm for computing a hash to compare it to that of your customer’s resource. (Or Sha1Managed. Or another *Managed, whatever.)
And it worked well for you. In most cases. Or until a specific customer.
The issue is that these (actually pretty fast) algorithms are not supported on FIPS-enabled Windows machines. Specifically, they will throw runtime exceptions whenever they would be called if this [DWORD] registry key is set to 1 on the target machine (try it yourself):
(See also Microsoft’s 2014 recommendation against enabling FIPS blindly, but this won’t help if your customers are, regardless, still forced into their FIPS-enabled environments.)
To solve the issue, however, you may simply use another algorithm – even that documentation doesn’t clearly state it – use Sha256Cng (or Sha1Cng) instead.
While a bit slower, your check will be performed successfully now. And if in doubt regarding the performance issue, you can also try with the managed algorithm first, and use CNG version just in [exceptional] case; that’s it.