[CentOS] signing RPM packages with SHA256

Wed Jan 20 07:37:35 UTC 2016
Alice Wonder <alice at domblogger.net>

hi,

I noticed that RPM packages I sign use SHA1

Signature   : RSA/SHA1, Fri 08 Jan 2016 10:50:58 AM PST, Key ID 
ad3b591d147abf59

Signatures from CentOS 7 use SHA256

Signature   : RSA/SHA256, Wed 06 Jan 2016 08:54:58 AM PST, Key ID 
24c6a8a7f4a80eb5

I'm trying to find where / how to use sha256 when I sign packages but I 
am not having much luck. Closest I have found is this :

https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256

That page appears to be from 2009 and six years is a really long time, 
things change a lot.

Is there an up to date reference somewhere on RPM package signing that I 
haven't stumbled upon yet?

SHA1 is broken. I shouldn't be using it.

CentOS 7 is all I build packages for.

Thank you.