diff --git a/pkg/vendir/fetch/hg/hg.go b/pkg/vendir/fetch/hg/hg.go
index df035cff..73953175 100644
--- a/pkg/vendir/fetch/hg/hg.go
+++ b/pkg/vendir/fetch/hg/hg.go
@@ -5,6 +5,8 @@ package hg
 
 import (
 	"bytes"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"io"
 	"net/url"
@@ -126,6 +128,8 @@ func (t *Hg) setup(tempArea ctlfetch.TempArea) error {
 		return fmt.Errorf("Expected non-empty URL")
 	}
 
+	cacheID := t.opts.URL
+
 	authOpts, err := t.getAuthOpts()
 	if err != nil {
 		return err
@@ -178,7 +182,7 @@ hgauth.password = %s
 			}
 
 			sshCmd = append(sshCmd, "-i", path, "-o", "IdentitiesOnly=yes")
-			t.cacheID += "private-key=" + *authOpts.PrivateKey + "|"
+			cacheID += "private-key=" + *authOpts.PrivateKey + "|"
 		}
 
 		if authOpts.KnownHosts != nil {
@@ -190,7 +194,7 @@ hgauth.password = %s
 			}
 
 			sshCmd = append(sshCmd, "-o", "StrictHostKeyChecking=yes", "-o", "UserKnownHostsFile="+path)
-			t.cacheID += "known-hosts=" + *authOpts.KnownHosts + "|"
+			cacheID += "known-hosts=" + *authOpts.KnownHosts + "|"
 		} else {
 			sshCmd = append(sshCmd, "-o", "StrictHostKeyChecking=no")
 		}
@@ -205,9 +209,12 @@ hgauth.password = %s
 			return fmt.Errorf("Writing %s: %s", hgRcPath, err)
 		}
 		t.env = append(t.env, "HGRCPATH="+hgRcPath)
-		t.cacheID += hgRc
+		cacheID += hgRc
 	}
 
+	sha := sha256.Sum256([]byte(cacheID))
+	t.cacheID = hex.EncodeToString(sha[:])
+
 	return nil
 }