Turning on securehashesonly seems to disable the addurl command:
```console % git config --get annex.securehashesonly true % git annex addurl https://www.gutenberg.org/cache/epub/2591/pg2591-images.html addurl https://www.gutenberg.org/cache/epub/2591/pg2591-images.html annex.securehashesonly blocked transfer of URL key failed addurl: 1 failed % git annex addurl https://www.gutenberg.org/cache/epub/2591/pg2591-images.html --relaxed addurl https://www.gutenberg.org/cache/epub/2591/pg2591-images.html (to www.gutenberg.org_cache_epub_2591_pg2591-images.html) ok (recording state in git...) % ls -l www.gutenberg.org_cache_epub_2591_pg2591-images.html www.gutenberg.org_cache_epub_2591_pg2591-images.html -> .git/annex/objects/gg/kG/URL--https&c%%www.gutenberg.org%cache%epub%2591%pg2591-images.html/URL--https&c%%www.gutenberg.org%cache%epub%2591%pg2591-images.html
I think that git-annex addurl without --fast or --relaxed should work with annex.securehashesonly set. (Unless annex.backend is set to something it prevents adding.) It is currently failing because of a temporary URL key that never reaches the repository. So the check should be disabled for that.
Arguably with --relaxed (or --fast) it should also fail. However, that does not actually download the content, so it does not technically add content to the repository that is not using a cryptographically signed hash. That's how it manages to skate by without failing. Of course git-annex get will later fail, git-annex fsck will complain, etc.