Skip to content

Add PKGID (SIGMD5) support to RPM cataloger #4650

New issue
New issue
Open
Open
Add PKGID (SIGMD5) support to RPM cataloger#4650
Labels
ecosystem:osrelating to an OS packaging ecosystemenhancementNew feature or request
@fernandosci

Description

@fernandosci
fernandosci
opened on Mar 3, 2026

What would you like to be added:

Expose the RPM PKGID (RPMTAG_SIGMD5, tag 261) in syft's RPM package metadata output.

Why is this needed:

PKGID is the MD5 digest of the combined RPM header and payload contents. It is the package-level content checksum used by RPM to uniquely identify a specific package build.

Syft already exposes RPM signing signatures (RPMTAG_PGP / RPMTAG_RSAHEADER) via the Signatures field, but these are absent for unsigned packages — such as internally built or legacy RPMs. In those cases, PKGID is the only available identifier for integrity verification.

Additional context:

The data is already available in github.com/anchore/go-rpmdb.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ecosystem:osrelating to an OS packaging ecosystemenhancementNew feature or request

    Type

    No type

    Projects

    OSS

    Status

    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions