5 files changed, 7 insertions, 12 deletions

diff --git a/cli/Cargo.toml b/cli/Cargo.toml
index 5656c77f8..d11ef8849 100644
--- a/cli/Cargo.toml
+++ b/cli/Cargo.toml
@@ -101,11 +101,11 @@ dprint-plugin-markdown = "=0.16.4"
 dprint-plugin-typescript = "=0.89.3"
 env_logger = "=0.10.0"
 fancy-regex = "=0.10.0"
+faster-hex.workspace = true
 # If you disable the default __vendored_zlib_ng feature above, you _must_ be able to link against `-lz`.
 flate2.workspace = true
 fs3.workspace = true
 glob = "0.3.1"
-hex.workspace = true
 ignore = "0.4"
 import_map = { version = "=0.19.0", features = ["ext"] }
 indexmap.workspace = true
diff --git a/cli/npm/managed/tarball.rs b/cli/npm/managed/tarball.rs
index 90cae0cd2..1267b13d8 100644
--- a/cli/npm/managed/tarball.rs
+++ b/cli/npm/managed/tarball.rs
@@ -61,7 +61,7 @@ fn verify_tarball_integrity(
       let mut hash_ctx = Context::new(&ring::digest::SHA1_FOR_LEGACY_USE_ONLY);
       hash_ctx.update(data);
       let digest = hash_ctx.finish();
-      let tarball_checksum = hex::encode(digest.as_ref());
+      let tarball_checksum = faster_hex::hex_string(digest.as_ref());
       (tarball_checksum, hex)
     }
     NpmPackageVersionDistInfoIntegrity::UnknownIntegrity(integrity) => {
diff --git a/cli/tools/registry/mod.rs b/cli/tools/registry/mod.rs
index 7b940592f..faea95a1a 100644
--- a/cli/tools/registry/mod.rs
+++ b/cli/tools/registry/mod.rs
@@ -688,7 +688,7 @@ async fn publish_package(
         package.scope, package.package, package.version
       ),
       digest: provenance::SubjectDigest {
-        sha256: hex::encode(sha2::Sha256::digest(&meta_bytes)),
+        sha256: faster_hex::hex_string(&sha2::Sha256::digest(&meta_bytes)),
       },
     };
     let bundle = provenance::generate_provenance(subject).await?;
diff --git a/cli/tools/registry/provenance.rs b/cli/tools/registry/provenance.rs
index 117c10abc..69926372e 100644
--- a/cli/tools/registry/provenance.rs
+++ b/cli/tools/registry/provenance.rs
@@ -622,12 +622,12 @@ async fn testify(
   // Rekor "intoto" entry for the given DSSE envelope and signature.
   //
   // Calculate the value for the payloadHash field into the Rekor entry
-  let payload_hash = hex::encode(sha2::Sha256::digest(
+  let payload_hash = faster_hex::hex_string(&sha2::Sha256::digest(
     content.dsse_envelope.payload.as_bytes(),
   ));
 
   // Calculate the value for the hash field into the Rekor entry
-  let envelope_hash = hex::encode({
+  let envelope_hash = faster_hex::hex_string(&{
     let dsse = DsseEnvelope {
       payload: content.dsse_envelope.payload.clone(),
       payload_type: content.dsse_envelope.payload_type.clone(),
diff --git a/cli/util/checksum.rs b/cli/util/checksum.rs
index d9480eb6e..c9c55ec2b 100644
--- a/cli/util/checksum.rs
+++ b/cli/util/checksum.rs
@@ -3,18 +3,13 @@
 use ring::digest::Context;
 use ring::digest::SHA256;
 
+/// Generate a SHA256 checksum of a slice of byte-slice-like things.
 pub fn gen(v: &[impl AsRef<[u8]>]) -> String {
   let mut ctx = Context::new(&SHA256);
   for src in v {
     ctx.update(src.as_ref());
   }
-  let digest = ctx.finish();
-  let out: Vec<String> = digest
-    .as_ref()
-    .iter()
-    .map(|byte| format!("{byte:02x}"))
-    .collect();
-  out.join("")
+  faster_hex::hex_string(ctx.finish().as_ref())
 }
 
 #[cfg(test)]