ZIP to 7Z for Linux & Container Engineers

Windows ZIP into a Docker build context

A teammate sends app-src.zip. Your Dockerfile wants a gzipped tar it can ADD. Convert in the browser, then ADD.

Browser: app-src.zip -> app-src.tar.gz (zip-to-7z)
Dockerfile:
  FROM node:20
  ADD app-src.tar.gz /app/
  WORKDIR /app
  RUN npm ci
# ADD auto-extracts the .tar.gz into /app — no unzip needed.

List and verify before using as a build input

Always confirm the tree and that paths are relative (no leading slash, which tar would refuse to extract cleanly).

$ tar -tzf app-src.tar.gz | head
src/index.ts
src/server.ts
package.json
# Good: relative paths, no leading '/'. Safe to extract.

Strip a wrapping top-level folder

Many ZIPs nest everything under one folder (app-src/...). For a clean build context you often want that gone. Do it on the ZIP first, then convert.

Before: app-src/src/index.ts  (everything under app-src/)
Step 1: path-prefix-remover on the ZIP -> strips 'app-src/'
Step 2: zip-to-7z -> tar.gz with src/index.ts at the root
ADD app-src.tar.gz /app  ->  /app/src/index.ts (not /app/app-src/...)

Reproducible build: normalise timestamps first

The TAR header stamps 'now', so re-converting busts Docker layer caches. Pin timestamps before converting so the same input yields the same tar.

Problem: same app-src.zip -> different mtimes each conversion -> cache miss
Step 1: timestamp-normalizer on app-src.zip (set 1980-01-01)
Step 2: zip-to-7z -> tar.gz
Note: the TAR header still writes conversion time per entry, so for
  fully reproducible tar, normalise after extraction in CI too.

Convert on a host with no unzip

A hardened bastion has tar but not unzip. Do the ZIP-to-TAR.GZ in the browser on your laptop, scp the result, and the bastion handles it natively.

Laptop browser: build.zip -> build.tar.gz (zip-to-7z)
$ scp build.tar.gz bastion:/tmp/
bastion$ tar -xzf /tmp/build.tar.gz -C /opt/app   # no unzip required

ZIP directory entries (ending in /) are dropped on extraction, so an empty logs/ or tmp/ folder will not exist in the TAR.GZ. If your container expects that directory to pre-exist, create it in the Dockerfile with RUN mkdir -p logs rather than relying on the archive.

The TAR header writes the current time for every entry. This can bust Docker layer caching and break reproducible-build hashes that depend on mtimes. Normalise with timestamp-normalizer and/or re-normalise after extraction in CI.

If a ZIP somehow contains absolute paths, tar -xzf may refuse or warn. List with tar -tzf first. The conversion preserves whatever paths the ZIP held; it does not sanitise them. Use filename-sanitizer or path-prefix-remover on the ZIP if needed.

ZIP and the TAR builder do not carry Unix mode bits the way you might expect — entries are written with default permissions (0644). An executable script in the ZIP will extract without its +x bit, so add RUN chmod +x in the Dockerfile or chmod after extraction.

A large monorepo build context can blow past 50 MB (Free) or even 500 MB (Pro). Caps are 50 MB / 500 MB / 2 GB / 2 GB by tier, plus an entry-count cap (500 / 50,000 / 500,000). Split with archive-splitter or upgrade tier.

ZIP rarely stores true symlinks, and the TAR builder writes regular-file entries (type '0') only. Any symlink semantics are lost — the target's content (if present) is stored as a plain file. Re-create symlinks in the Dockerfile if your build relies on them.

A password-protected ZIP cannot be converted — this tool has no password field. Decrypt and extract with multi-format-extractor, re-zip the plaintext, then convert.

The output is .tar.gz, never .7z. For container pipelines that is what you want, but if an artifact store specifically requires 7Z, this tool cannot produce it — use a native 7-Zip on a build agent instead.