How to tar.gz → zip for linux & container engineers
- Step 1Pull the artifact locally — Get the
.tar.gzonto your machine — a CI artifact download,kubectl cp, or ahelm pull. The tool reads it from disk via the File API; nothing transits a network. - Step 2Confirm it's a content handoff, not a layer re-import — If the recipient just needs to read or review the files, ZIP is fine. If they will
docker loadit, keep the original TAR.GZ — conversion drops the mode bits and links a runtime needs. - Step 3Open the converter — Go to /archive-tools/tar-gz-to-zip. For artifacts up to 500 MB, use a Pro tier; Developer handles up to 2 GB.
- Step 4Drop and Process — Drop the single
.tar.gzand click Process. fflate gunzips and re-zips the regular files at DEFLATE level 6 — no options to tune. - Step 5Capture a checksum (optional) — For audit trails, run /archive-tools/checksum-generator on the output to emit a SHA-256 manifest the reviewer can verify.
- Step 6Hand off the ZIP — Download and attach the ZIP to the ticket, share, or evidence package — it opens with no extra tooling on any OS.
Where TAR.GZ → ZIP fits in a container workflow
Common Linux/container sources and whether ZIP conversion is appropriate.
| Source artifact | Convert to ZIP? | Reason |
|---|---|---|
| CI build artifact (source/docs) | Yes | Recipient just needs the files |
| Helm chart bundle (.tgz) | Yes for review | Readable; not for helm install |
| kubectl cp pull from a pod | Yes | Share logs/configs with non-Linux folks |
| docker save image layer | No | Mode bits/links lost — won't docker load |
| Backup tarball with symlinks | Caution | Symlinks are skipped; verify completeness |
Tier limits for artifact handoffs
Real archive-family ceilings — the input file is size-checked before any work.
| Tier | Max input | Entry ceiling | Files / job |
|---|---|---|---|
| Free | 50 MB | 500 | 1 |
| Pro | 500 MB | 50,000 | 20 |
| Pro+Media | 2 GB | 500,000 | 100 |
| Developer | 2 GB | 500,000 | unlimited |
Fidelity for engineers
Exactly what crosses from a container TAR.GZ into the ZIP.
| Property | Crosses over? | Engineering impact |
|---|---|---|
| Regular file content | Yes — identical | Safe for review and inspection |
| Executable bit (0755) | No | Re-set before running on Linux |
| Symlinks | No | Re-create if the tree depends on them |
| Hardlinks | No | Deduped links become absent, not copied |
| mtime / timestamps | No (set to now) | Use timestamp-normalizer for reproducibility |
Cookbook
Real engineering handoffs — shipping readable artifacts to non-Linux stakeholders, attaching to tickets, and the cases where you should NOT convert.
Helm chart review for a Windows stakeholder
A reviewer on Windows needs to read templates and values from a .tgz chart. Convert and attach; they double-click open.
Input: mychart-2.3.1.tgz Process → Output: mychart-2.3.1.zip mychart/Chart.yaml mychart/values.yaml mychart/templates/deployment.yaml ... Good for review. Not for `helm install` (use the .tgz for that).
Pod logs pulled with kubectl cp
You pulled /var/log from a pod as a tarball. Convert to ZIP to drop into an incident ticket.
kubectl cp ns/pod:/tmp/logs.tar.gz ./logs.tar.gz Drop logs.tar.gz -> Process -> logs.zip Attach logs.zip to the incident ticket — opens on any OS.
Audit package with a checksum
For chain-of-custody, generate a SHA-256 manifest of the converted ZIP's contents so the auditor can verify nothing changed.
1. tar-gz-to-zip: evidence.tar.gz -> evidence.zip 2. checksum-generator: evidence.zip -> evidence.sha256sums Reviewer runs: sha256sum -c evidence.sha256sums
Do NOT convert a saved image layer
A docker save tarball relies on exact paths, mode bits, and a manifest. Converting to ZIP and back breaks docker load.
docker save myimg:1.0 -o myimg.tar; gzip myimg.tar Converting myimg.tar.gz -> .zip loses mode bits + layout. Keep the original tarball for `docker load`.
Locked-down jump box, no tar
On a bastion with no archive tools and no install rights, the browser converter is the whole toolchain.
Bastion has: a browser. No tar, no zip, no install rights. Drop artifact.tar.gz at /archive-tools/tar-gz-to-zip -> Download artifact.zip Nothing installed, nothing uploaded.
Edge cases and what actually happens
Saved image layer (docker save)
Wrong toolImage tarballs depend on exact mode bits, paths, and a manifest. Converting to ZIP drops mode bits and reorders nothing but loses the link/permission fidelity docker load needs. Keep the original TAR.GZ.
Executable bit on a shipped binary
Not preservedThe re-zip writes no Unix mode bits, so a bin/tool extracted from the ZIP won't be executable. Re-run chmod +x after extraction on Linux, or keep the tarball.
Symlinks in a backup tarball
SkippedSymlink entries are not written to the ZIP. For backups whose structure depends on links, the converted ZIP is incomplete — verify the file list before relying on it.
Hardlinked dedup tree
SkippedHardlink entries are dropped and not expanded into copies, so hardlinked files simply do not appear. Expect a smaller, incomplete tree for archives built with heavy hardlinking.
Artifact over the tier cap
RejectedInputs above 50 MB (free) / 500 MB (pro) / 2 GB (pro-media, developer) are blocked before processing with a per-job limit message. Use a higher tier or the CLI for very large layers.
Regulated data boundary
PreservedBecause nothing transits a network, the data boundary does not move when you convert — equivalent to running a local CLI. Confirm with your compliance team, but the architecture keeps bytes on-device.
Truncated CI artifact download
ErrorA partial .tar.gz from a flaky artifact download fails to gunzip and the run stops. Re-download and verify the format with /archive-tools/auto-format-detector.
Very long container paths
May truncateDeep container paths can exceed the 100-byte TAR name field; the parser does not read GNU longname/PAX records, so such entries may truncate. Most chart and source tarballs stay under the limit.
Frequently asked questions
Is this safe for sensitive build artifacts?
Yes — the browser-only architecture means the artifact is never uploaded. It is read from disk and processed in your tab. For chain-of-custody, pair it with /archive-tools/checksum-generator to produce SHA-256 manifests before and after.
Can I convert a docker save tarball to ZIP and back?
No — that round-trip breaks the image. Saved layers depend on mode bits, symlinks, and an exact layout, all of which conversion drops. Keep the original TAR.GZ for docker load.
Will executable bits survive for a shipped CLI binary?
No. The ZIP entries carry no Unix mode bits, so extracted binaries won't be executable until you chmod +x them. If the exec flag must survive, keep the tarball or use the CLI.
Does this work on a locked-down jump box?
Yes — it needs only a browser, no install or admin rights. That is its core advantage on bastions and kiosks where tar isn't available.
What about HIPAA / PCI / FedRAMP environments?
Nothing transits a network, so the regulated boundary doesn't move — it is equivalent to a local CLI conversion. Confirm with your compliance team, but the data-handling model is on-device only.
How large an artifact can I convert?
Free: 50 MB. Pro: 500 MB. Pro+Media and Developer: 2 GB. Larger layers should be handled by the CLI or split upstream.
Are symlinks in my tarball preserved?
No — symlink entries are skipped. If a deployment tree depends on links, the converted ZIP will be missing them. Check the file listing before using it as a complete copy.
Can multiple engineers use this at once?
Yes — each browser tab is an independent instance with no shared state. Free-tier limits apply per session; Pro and above remove them and add batch capacity.
Does it preserve directory structure?
Yes — every regular file keeps its full path, so the folder tree reconstructs on extraction. Standalone empty-directory entries are not emitted, but populated folders appear normally.
Why not just send the .tar.gz?
When the recipient is on Windows with no tar, or a ticketing system only accepts ZIP, conversion removes the friction. For Linux-to-Linux handoffs, the original TAR.GZ is usually the better choice.
Can I batch many artifacts at once?
This converter takes one archive per run. For unpacking many archives together use /archive-tools/batch-extraction-manager, then convert outputs as needed. Pro and above raise the per-job file count.
How does this compare to enterprise tooling?
JAD covers the fast, private one-off conversion. Enterprise platforms add SSO, central audit logs, and storage. Many teams use JAD for speed-of-task and keep enterprise tooling for governance.
Privacy first
Every JAD Archive tool runs entirely in your browser using fflate, @zip.js/zip.js, and the libarchive WASM bridge. Your archives never leave your device — verified by zero outbound network requests during processing.