Arch Linux

redboltz

Member

Registered: 2025-04-23

Posts: 2

Install Error with CMake due to Zscaler (ZIA Proxy) Blocking rhash

Hello,

I encountered an installation error while trying to install cmake through a Zscaler proxy (ZIA Proxy).
According to the official Arch Linux package page cmake https://archlinux.org/packages/extra/x86_64/cmake/, the latest version of cmake (version 4.0.1-1) depends on rhash https://archlinux.org/packages/extra/x86_64/rhash/ .
The latest version of rhash is 1.4.4-1.
It appears that Zscaler blocks the download of the rhash-1.4.4-1-x86_64.pkg.tar.zst package. This package contains the binary `usr/bin/rhash`, which Zscaler seems to classify as a threat.

For reference, here is the VirusTotal analysis result:
https://www.virustotal.com/gui/file/13f … 2666058cbe

Notes: cmake appears to be the only package in the official repository that depends on rhash.

The rhash package has been marked as out-of-date since 2024-10-15.

Possible causes I am considering:

This might be a false positive detection. In that case, a false positive report should be submitted to Zscaler. (However, rhash is currently flagged as outdated.)
If the threat detection is valid, and rhash is indeed compromised, cmake may need to drop or replace the dependency.
There may be another reason for the issue.

Any ideas?

Best regards,
redboltz

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 24,378

Re: Install Error with CMake due to Zscaler (ZIA Proxy) Blocking rhash

Almost certainly a false positive, but indeed it's somewhat overdue for an update. That said from having to deal with it at work, Zscaler is overzealous with it's "protection" in the vast majority of cases and causes annoying issues, so I might be biased.

Last edited by V1del (2025-04-23 11:48:22)

redboltz

Member

Registered: 2025-04-23

Posts: 2

Re: Install Error with CMake due to Zscaler (ZIA Proxy) Blocking rhash

I tested building rhash manually in my local environment using https://gitlab.archlinux.org/archlinux/ … type=heads

$ LC_ALL=C makepkg -s
==> Making package: rhash 1.4.4-1 (Thu Apr 24 11:17:51 2025)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading rhash-1.4.4.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  425k    0  425k    0     0   684k      0 --:--:-- --:--:-- --:--:--  684k
  -> Downloading rhash-1.4.4.tar.gz.asc...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   833  100   833    0     0    768      0  0:00:01  0:00:01 --:--:--     0
==> Validating source files with sha512sums...
    rhash-1.4.4.tar.gz ... Passed
    rhash-1.4.4.tar.gz.asc ... Skipped
==> Verifying source file signatures with gpg...
    rhash-1.4.4.tar.gz ... FAILED (unknown public key 2A714497E37363AE)
==> ERROR: One or more PGP signatures could not be verified!

Due to a key error, I fetched the key as follows:

$ gpg --recv-keys 2A714497E37363AE
gpg: key 2A714497E37363AE: public key "Aleksey Kravchenko <rhash.admin@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

I then tried again, and the build completed successfully.

$ LC_ALL=C makepkg -si
==> Making package: rhash 1.4.4-1 (Thu Apr 24 11:25:24 2025)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found rhash-1.4.4.tar.gz
  -> Downloading rhash-1.4.4.tar.gz.asc...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   833  100   833    0     0    880      0 --:--:-- --:--:-- --:--:--     0
==> Validating source files with sha512sums...
    rhash-1.4.4.tar.gz ... Passed
    rhash-1.4.4.tar.gz.asc ... Skipped
==> Verifying source file signatures with gpg...
    rhash-1.4.4.tar.gz ... Passed
==> Extracting sources...
  -> Extracting rhash-1.4.4.tar.gz with bsdtar
==> Starting prepare()...
Checking for sources ... RHash 1.4.4
Checking for target OS ... Linux
Checking for cc version ... gcc 14.2.1
Checking for linker support for dlopen ... yes
Checking for linker support for --version-script ... yes
Checking for gettext ... found
Checking for OpenSSL ... runtime
Writing config.mak
Writing librhash/config.mak
Writing dist/librhash.pc
==> Starting build()...
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong calc_sums.c -o calc_sums.o
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong hash_print.c -o hash_print.o
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong common_func.c -o common_func.o
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong hash_update.c -o hash_update.o
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong file.c -o file.o
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong file_mask.c -o file_mask.o
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong file_set.c -o file_set.o
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong find_file.c -o find_file.o
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong hash_check.c -o hash_check.o
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong output.c -o output.o
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -DSYSCONFDIR=\"/etc\" parse_cmdline.c -o parse_cmdline.o
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -DLOCALEDIR=\"/usr/share/locale\" rhash_main.c -o rhash_main.o
cc -c -DUSE_GETTEXT -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong win_utils.c -o win_utils.o
cd librhash && make lib-shared
make[1]: Entering directory '/home/kondo/tmp/rhash/from_src/src/RHash-1.4.4/librhash'
sed -ne '1s/.*/{ global:/p; s/^RHASH_API.* \(rhash_[a-z0-9_]*\)(.*/  \1;/p; $s/.*/local: *; };/p' \
  rhash.h rhash_torrent.h | grep -v "rhash_wfile" > exports.sym
test "xlibrhash.so.1" != "xlibrhash.so.1.4.4" && \
  rm -f librhash.so.1 && \
  ln -s librhash.so.1.4.4 librhash.so.1
rm -f librhash.so
ln -s librhash.so.1 librhash.so
cc -DOPENSSL_RUNTIME -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fpic -DRHASH_XVERSION=0x01040400 algorithms.c byte_order.c plug_openssl.c rhash.c rhash_torrent.c aich.c blake2b.c blake2s.c crc32.c ed2k.c edonr.c hex.c md4.c md5.c sha1.c sha256.c sha512.c sha3.c ripemd-160.c gost12.c gost94.c has160.c snefru.c tiger.c tiger_sbox.c tth.c torrent.c util.c whirlpool.c whirlpool_sbox.c  -Wl,-O1,--sort-common,--as-needed,-z,relro -shared -Wl,--version-script,exports.sym,-soname,librhash.so.1 -o librhash.so.1.4.4
make[1]: Leaving directory '/home/kondo/tmp/rhash/from_src/src/RHash-1.4.4/librhash'
cc calc_sums.o hash_print.o common_func.o hash_update.o file.o file_mask.o file_set.o find_file.o hash_check.o output.o parse_cmdline.o rhash_main.o win_utils.o librhash/librhash.so.1.4.4  -Wl,-O1,--sort-common,--as-needed,-z,relro -o rhash
==> Starting check()...
/bin/sh tests/test_rhash.sh --shared ./rhash
cd librhash && make test-shared
make[1]: Entering directory '/home/kondo/tmp/rhash/from_src/src/RHash-1.4.4/librhash'
cc -c -DOPENSSL_RUNTIME -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong test_lib.c -o test_lib.o
cc -c -DOPENSSL_RUNTIME -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong test_utils.c -o test_utils.o
 1. test with a text string:    Ok
 2. test stdin processing:      Ok
 3. test with 1Kb data file:    Ok
 4. test handling empty files:  Ok
 5. test default format:        Ok
 6. test %x, %b, %B modifiers:  Ok
 7. test %u modifier:           Ok
 8. test special characters:    Ok
 9. test file lists:            Ok
10. test eDonkey link:          Ok
11. test checking all hashes:   Ok
12. test magnet links:          Ok
13. test bsd format checking:   Ok
14. test checking w/o filename: Ok
15. test checking embedded crc: Ok
16. test checking recursively:  Ok
17. test wrong sums detection:  Ok
18. test missig files:          Ok
19. test unverified files:      Ok
20. test update:                Ok
21. test *accept options:       Ok
22. test ignoring of log files: Ok
23. test creating torrent file: Ok
24. test exit code:             Ok
cc -DOPENSSL_RUNTIME -DNDEBUG -pipe -ffunction-sections -fdata-sections -fomit-frame-pointer -Wall -W -Wstrict-prototypes -Wnested-externs -Winline -Wpointer-arith -Wbad-function-cast -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong test_lib.o test_utils.o librhash.so.1.4.4  -Wl,-O1,--sort-common,--as-needed,-z,relro -o test_shared
LD_LIBRARY_PATH=.:/home/kondo/local/lib:/usr/local/lib DYLD_LIBRARY_PATH=.: ./test_shared
All sums are working properly!
make[1]: Leaving directory '/home/kondo/tmp/rhash/from_src/src/RHash-1.4.4/librhash'
==> Entering fakeroot environment...
==> Starting package()...
make install-binary
install -d /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/share/man/man1
install -d /home/kondo/tmp/rhash/from_src/pkg/rhash/etc
install -d /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/bin
cd librhash && make install-lib-shared
install -m 644 dist/rhash.1 /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/share/man/man1/rhash.1
tr -d \\r < dist/rhashrc.sample > rc.tmp && install -m 644 rc.tmp /home/kondo/tmp/rhash/from_src/pkg/rhash/etc/rhashrc
install -m 755 rhash /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/bin/rhash
cd /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/bin && for f in sfv-hash has160-hash gost12-256-hash gost12-512-hash edonr256-hash edonr512-hash tiger-hash tth-hash whirlpool-hash ed2k-link magnet-link; do ln -sf rhash $f; done
make[1]: Entering directory '/home/kondo/tmp/rhash/from_src/src/RHash-1.4.4'
install -d /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/bin
install -m 755 rhash /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/bin/rhash
rm -f rc.tmp
make[1]: Leaving directory '/home/kondo/tmp/rhash/from_src/src/RHash-1.4.4'
make[1]: Entering directory '/home/kondo/tmp/rhash/from_src/src/RHash-1.4.4/librhash'
install -d /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/lib
install -m 755 librhash.so.1.4.4 /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/lib/
test "xlibrhash.so.1" != "xlibrhash.so.1.4.4" && \
  rm -f /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/lib/librhash.so.1 && \
  ln -s librhash.so.1.4.4 /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/lib/librhash.so.1
make[1]: Leaving directory '/home/kondo/tmp/rhash/from_src/src/RHash-1.4.4/librhash'
cd /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/share/man/man1 && for f in sfv-hash has160-hash gost12-256-hash gost12-512-hash edonr256-hash edonr512-hash tiger-hash tth-hash whirlpool-hash ed2k-link magnet-link; do ln -sf rhash.1 $f.1; done
make: Entering directory '/home/kondo/tmp/rhash/from_src/src/RHash-1.4.4/librhash'
install -d /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/include
install -m 644 rhash.h rhash_torrent.h /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/include/
install -d /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/lib
install -d /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/lib
install -m 755 librhash.so.1.4.4 /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/lib/
rm -f /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/lib/librhash.so
ln -s librhash.so.1 /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/lib/librhash.so
test "xlibrhash.so.1" != "xlibrhash.so.1.4.4" && \
  rm -f /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/lib/librhash.so.1 && \
  ln -s librhash.so.1.4.4 /home/kondo/tmp/rhash/from_src/pkg/rhash/usr/lib/librhash.so.1
make: Leaving directory '/home/kondo/tmp/rhash/from_src/src/RHash-1.4.4/librhash'
==> Tidying install...
  -> Removing libtool files...
  -> Purging unwanted files...
  -> Removing static library files...
  -> Stripping unneeded symbols from binaries and libraries...
  -> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "rhash"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: rhash 1.4.4-1 (Thu Apr 24 11:25:31 2025)

I uploaded the built pkg/rhash/usr/bin/rhash to https://www.virustotal.com/

See https://www.virustotal.com/gui/file/2ed … 1a07f298f4

No threats were detected.
So, simply rebuilding the rhash package in a recent environment (I ran pacman -Syu today) resolved the threat report.

What is the appropriate course of action in this situation?

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 24,378

Re: Install Error with CMake due to Zscaler (ZIA Proxy) Blocking rhash

There's very little to be actively done here, the best bet is that the outdated warning means that it should get updated/rebuilt in time, but overzealous detection systems aren't really a driving force/motivator and it's not a packaging issue per se.