The SPDX spec for the 'Package Checksum' field does not specify that it must be SHA1, but the current Package class validation logic requires it to be.

This is the relevant part of the spec:

And this is the section of the code which is doing improper validation (from package.py):

In my opinion the spec itself should also be relaxed with respect to File Checksum requiring SHA1, but that is an argument for a different venue. I'm guessing that this bug is due to copy-paste from the File class, which rightfully checks for a SHA1 hash.