I saw a request for Koji to use a stronger cryptographic hash function such as SHA256
( https://fedorahosted.org/koji/ticket/119 ) on RPM packages. I took some time in reading how the
RPMTAG_SIGMD5 is calculated and implemented some Python code to hash the same RPM data
using hashlib's SHA256 module. The outputted SHA256 digest can be stored in Koji's DB and
also retrieved/calculated/checked with any new packages that are being submitted.

$ rpm -q --queryformat '%{RPMTAG_SIGMD5}' -p "gcc-4.6.2-1.fc17.1.src.rpm"
c88e96685e7eb3a124a5707b1bc41333
$ python sha2pay.py gcc-4.6.2-1.fc17.1.src.rpm
['c88e96685e7eb3a124a5707b1bc41333', 'c729d818d5468f8b1147cb70b266992f92f58c9dace218417c7582427d1e5561']

Source code:

import hashlib
import os
import struct
import subprocess
import sys

def sha2pay(fn):
# http://www.iagora.com/~espel/rpm2cpio

nel = 0
f = open(fn, "r")

rpm = f.read(96)
if (len(rpm) != 96):
#print("error reading lead 96.0")
return None
nel += len(rpm)

# http://perldoc.perl.org/functions/pack.html
# http://docs.python.org/library/struct.html

(magic, major, minor, rest) = struct.unpack(">LBB90s", rpm)

if (magic != 0xedabeedb):
#print("incorrect lead magic")
return None

if ((major != 3) and (major != 4)):
#print("incorrect lead major")
return None

# http://docs.python.org/library/stdtypes.html

while (1):
pos = nel
rpm = f.read(16)
if (len(rpm) != 16):
#print("error reading header 16.0")
return None
nel += len(rpm)
(smagic, rest) = struct.unpack(">H14s", rpm)
if ((smagic == 0x1f8b) or (smagic == 0x425a)):
break
if (pos & 0x7):
pos += 7
pos &= (~0x7)
f.seek(pos, 0)
nel = pos
rpm = f.read(16)
if (len(rpm) != 16):
#print("error reading header 16.1")
return None
nel += len(rpm)
left = (len(rpm) - 16)
(magic, data, sections, bytes, rest) = struct.unpack(">4L" + str(left) + "s", rpm)
if (magic != 0x8eade801):
#print("incorrect header magic")
return None
# beg custom
f.seek(pos + 16, 0)
tmp = f.read((16 * sections) + bytes)
head = (rpm + tmp)
# end custom
pos += 16
pos += (16 * sections)
pos += bytes
f.seek(pos, 0)
nel = pos

if ((smagic != 0x1f8b) and (smagic != 0x425a)):
#print("unknown compression format")
return None

while (1):
tmp = f.read(16384)

if (not tmp):
break

rpm += tmp

f.close()
return [hashlib.md5(head + rpm).hexdigest(), hashlib.sha256(head + rpm).hexdigest()]