We should support sha256 for checksums on both repodata files, and on the rpms themselves.
createrepo doesn't store the file checksums, so nothing needs to change here.
repomd.xml can refer to other files using SHA-256 using the (deprecated) -s flag, but the package checksums (<package><checksum type="sha" pkgid="YES">..., <package pkgid="...">) are hard-coded to use SHA-1. Because these checksums are used to verify authenticity of downloaded packages, they should be using SHA-256 as well. The SHA-1 package checksums are hard-coded in yum.packages and createrepo.yumBased. In addition, modifyrepo is hard-coded to use SHA-1 for added repodata files.
This is now fixed in upstream createrepo: http://createrepo.baseurl.org/gitweb?p=createrepo.git;a=commitdiff;h=3b43f1280d94776689816cf96c6cc8135726b240