The forge api recently added file_sha256 for module downloads, see FORGE-360. The PMT should prefer that digest always. If the digest is missing and fips is enabled, it should raise like it does now. If fips is not enabled, then it should fall back to md5.