TAR(5) File Formats Manual TAR(5)

tarformat of tape archive files

The tar archive format collects any number of files, directories, and other file system objects (symbolic links, device nodes, etc.) into a single stream of bytes. The format was originally designed to be used with tape drives that operate with fixed-size blocks, but is widely used as a general packaging mechanism.

A tar archive consists of a series of 512-byte records. Each file system object requires a header record which stores basic metadata (pathname, owner, permissions, etc.) and zero or more records containing any file data. The end of the archive is indicated by two records consisting entirely of zero bytes.

For compatibility with tape drives that use fixed block sizes, programs that read or write tar files always read or write a fixed number of records with each I/O operation. These “blocks” are always a multiple of the record size. The maximum block size supported by early implementations was 10240 bytes or 20 records. This is still the default for most implementations although block sizes of 1MiB (2048 records) or larger are commonly used with modern high-speed tape drives. (Note: the terms “block” and “record” here are not entirely standard; this document follows the convention established by John Gilmore in documenting pdtar.)

The original tar archive format has been extended many times to include additional information that various implementors found necessary. This section describes the variant implemented by the tar command included in Version 7 AT&T UNIX, which seems to be the earliest widely-used version of the tar program.

The header record for an old-style tar archive consists of the following:

struct header_old_tar {
	char name[100];
	char mode[8];
	char uid[8];
	char gid[8];
	char size[12];
	char mtime[12];
	char checksum[8];
	char linkflag[1];
	char linkname[100];
	char pad[255];
};
All unused bytes in the header record are filled with nulls.
name
Pathname, stored as a null-terminated string. Early tar implementations only stored regular files (including hardlinks to those files). One common early convention used a trailing "/" character to indicate a directory name, allowing directory permissions and owner information to be archived and restored.
mode
File mode, stored as an octal number in ASCII.
uid, gid
User id and group id of owner, as octal numbers in ASCII.
size
Size of file, as octal number in ASCII. For regular files only, this indicates the amount of data that follows the header. In particular, this field was ignored by early tar implementations when extracting hardlinks. Modern writers should always store a zero length for hardlink entries.
mtime
Modification time of file, as an octal number in ASCII. This indicates the number of seconds since the start of the epoch, 00:00:00 UTC January 1, 1970. Note that negative values should be avoided here, as they are handled inconsistently.
checksum
Header checksum, stored as an octal number in ASCII. To compute the checksum, set the checksum field to all spaces, then sum all bytes in the header using unsigned arithmetic. This field should be stored as six octal digits followed by a null and a space character. Note that many early implementations of tar used signed arithmetic for the checksum field, which can cause interoperability problems when transferring archives between systems. Modern robust readers compute the checksum both ways and accept the header if either computation matches.
linkflag, linkname
In order to preserve hardlinks and conserve tape, a file with multiple links is only written to the archive the first time it is encountered. The next time it is encountered, the linkflag is set to an ASCII ‘1’ and the linkname field holds the first name under which this file appears. (Note that regular files have a null value in the linkflag field.)

Early tar implementations varied in how they terminated these fields. The tar command in Version 7 AT&T UNIX used the following conventions (this is also documented in early BSD manpages): the pathname must be null-terminated; the mode, uid, and gid fields must end in a space and a null byte; the size and mtime fields must end in a space; the checksum is terminated by a null and a space. Early implementations filled the numeric fields with leading spaces. This seems to have been common practice until the IEEE Std 1003.1-1988 (“POSIX.1”) standard was released. For best portability, modern implementations should fill the numeric fields with leading zeros.

An early draft of IEEE Std 1003.1-1988 (“POSIX.1”) served as the basis for John Gilmore's pdtar program and many system implementations from the late 1980s and early 1990s. These archives generally follow the POSIX ustar format described below with the following variations:

  • The magic value consists of the five characters “ustar” followed by a space. The version field contains a space character followed by a null.
  • The numeric fields are generally filled with leading spaces (not leading zeros as recommended in the final standard).
  • The prefix field is often not used, limiting pathnames to the 100 characters of old-style archives.

IEEE Std 1003.1-1988 (“POSIX.1”) defined a standard tar file format to be read and written by compliant implementations of tar(1). This format is often called the “ustar” format, after the magic value used in the header. (The name is an acronym for “Unix Standard TAR”.) It extends the historic format with new fields:

struct header_posix_ustar {
	char name[100];
	char mode[8];
	char uid[8];
	char gid[8];
	char size[12];
	char mtime[12];
	char checksum[8];
	char typeflag[1];
	char linkname[100];
	char magic[6];
	char version[2];
	char uname[32];
	char gname[32];
	char devmajor[8];
	char devminor[8];
	char prefix[155];
	char pad[12];
};
typeflag
Type of entry. POSIX extended the earlier linkflag field with several new type values:
“0”
Regular file. NUL should be treated as a synonym, for compatibility purposes.
“1”
Hard link.
“2”
Symbolic link.
“3”
Character device node.
“4”
Block device node.
“5”
Directory.
“6”
FIFO node.
“7”
Reserved.
Other
A POSIX-compliant implementation must treat any unrecognized typeflag value as a regular file. In particular, writers should ensure that all entries have a valid filename so that they can be restored by readers that do not support the corresponding extension. Uppercase letters "A" through "Z" are reserved for custom extensions. Note that sockets and whiteout entries are not archivable.
It is worth noting that the size field, in particular, has different meanings depending on the type. For regular files, of course, it indicates the amount of data following the header. For directories, it may be used to indicate the total size of all files in the directory, for use by operating systems that pre-allocate directory space. For all other types, it should be set to zero by writers and ignored by readers.
magic
Contains the magic value “ustar” followed by a NUL byte to indicate that this is a POSIX standard archive. Full compliance requires the uname and gname fields be properly set.
version
Version. This should be “00” (two copies of the ASCII digit zero) for POSIX standard archives.
uname, gname
User and group names, as null-terminated ASCII strings. These should be used in preference to the uid/gid values when they are set and the corresponding names exist on the system.
devmajor, devminor
Major and minor numbers for character device or block device entry.
name, prefix
If the pathname is too long to fit in the 100 bytes provided by the standard format, it can be split at any / character with the first portion going into the prefix field. If the prefix field is not empty, the reader will prepend the prefix value and a / character to the regular name field to obtain the full pathname. The standard does not require a trailing / character on directory names, though most implementations still include this for compatibility reasons.

Note that all unused bytes must be set to NUL.

Field termination is specified slightly differently by POSIX than by previous implementations. The magic, uname, and gname fields must have a trailing NUL. The pathname, linkname, and prefix fields must have a trailing NUL unless they fill the entire field. (In particular, it is possible to store a 256-character pathname if it happens to have a / as the 156th character.) POSIX requires numeric fields to be zero-padded in the front, and requires them to be terminated with either space or NUL characters.

Currently, most tar implementations comply with the ustar format, occasionally extending it by adding new fields to the blank area at the end of the header record.

There have been several attempts to extend the range of sizes or times supported by modifying how numbers are stored in the header.

One obvious extension to increase the size of files is to eliminate the terminating characters from the various numeric fields. For example, the standard only allows the size field to contain 11 octal digits, reserving the twelfth byte for a trailing NUL character. Allowing 12 octal digits allows file sizes up to 64 GB.

Another extension, utilized by GNU tar, star, and other newer tar implementations, permits binary numbers in the standard numeric fields. This is flagged by setting the high bit of the first byte. The remainder of the field is treated as a signed twos-complement value. This permits 95-bit values for the length and time fields and 63-bit values for the uid, gid, and device numbers. In particular, this provides a consistent way to handle negative time values. GNU tar supports this extension for the length, mtime, ctime, and atime fields. Joerg Schilling's star program and the libarchive library support this extension for all numeric fields. Note that this extension is largely obsoleted by the extended attribute record provided by the pax interchange format.

Another early GNU extension allowed base-64 values rather than octal. This extension was short-lived and is no longer supported by any implementation.

There are many attributes that cannot be portably stored in a POSIX ustar archive. IEEE Std 1003.1-2001 (“POSIX.1”) defined a “pax interchange format” that uses two new types of entries to hold text-formatted metadata that applies to following entries. Note that a pax interchange format archive is a ustar archive in every respect. The new data is stored in ustar-compatible archive entries that use the “x” or “g” typeflag. In particular, older implementations that do not fully support these extensions will extract the metadata into regular files, where the metadata can be examined as necessary.

An entry in a pax interchange format archive consists of one or two standard ustar entries, each with its own header and data. The first optional entry stores the extended attributes for the following entry. This optional first entry has an "x" typeflag and a size field that indicates the total size of the extended attributes. The extended attributes themselves are stored as a series of text-format lines encoded in the portable UTF-8 encoding. Each line consists of a decimal number, a space, a key string, an equals sign, a value string, and a new line. The decimal number indicates the length of the entire line, including the initial length field and the trailing newline. An example of such a field is:

25 ctime=1084839148.1212\n
Keys in all lowercase are standard keys. Vendors can add their own keys by prefixing them with an all uppercase vendor name and a period. Note that, unlike the historic header, numeric values are stored using decimal, not octal. A description of some common keys follows:
, ctime, mtime
File access, inode change, and modification times. These fields can be negative or include a decimal point and a fractional value.
The character set used by the pax extension values. By default, all textual values in the pax extended attributes are assumed to be in UTF-8, including pathnames, user names, and group names. In some cases, it is not possible to translate local conventions into UTF-8. If this key is present and the value is the six-character ASCII string “BINARY”, then all textual values are assumed to be in a platform-dependent multi-byte encoding. Note that there are only two valid values for this key: “BINARY” or “ISO-IR 10646 2000 UTF-8”. No other values are permitted by the standard, and the latter value should generally not be used as it is the default when this key is not specified. In particular, this flag should not be used as a general mechanism to allow filenames to be stored in arbitrary encodings.
, uid, gname, gid
User name, group name, and numeric UID and GID values. The user name and group name stored here are encoded in UTF8 and can thus include non-ASCII characters. The UID and GID fields can be of arbitrary length.
The full path of the linked-to file. Note that this is encoded in UTF8 and can thus include non-ASCII characters.
The full pathname of the entry. Note that this is encoded in UTF8 and can thus include non-ASCII characters.
, security.*
These keys are reserved and may be used for future standardization.
The size of the file. Note that there is no length limit on this field, allowing conforming archives to store files much larger than the historic 8GB limit.
Vendor-specific attributes used by Joerg Schilling's star implementation.
, SCHILY.acl.default, SCHILY.acl.ace
Stores the access, default and NFSv4 ACLs as textual strings in a format that is an extension of the format specified by POSIX.1e draft 17. In particular, each user or group access specification can include an additional colon-separated field with the numeric UID or GID. This allows ACLs to be restored on systems that may not have complete user or group information available (such as when NIS/YP or LDAP services are temporarily unavailable).
, SCHILY.devmajor
The full minor and major numbers for device nodes.
The file flags.
The full size of the file on disk. XXX explain? XXX
, SCHILY.ino, SCHILY.nlinks
The device number, inode number, and link count for the entry. In particular, note that a pax interchange format archive using Joerg Schilling's SCHILY.* extensions can store all of the data from struct stat.
Vendor-specific attributes used by the libarchive library and programs that use it.
The time when the file was created. (This should not be confused with the POSIX “ctime” attribute, which refers to the time when the file metadata was last changed.)
.namespace.key
Libarchive stores POSIX.1e-style extended attributes using keys of this form. The key value is URL-encoded: All non-ASCII characters and the two special characters “=” and “%” are encoded as “%” followed by two uppercase hexadecimal digits. The value of this key is the extended attribute value encoded in base 64. XXX Detail the base-64 format here XXX
XXX document other vendor-specific extensions XXX

Any values stored in an extended attribute override the corresponding values in the regular tar header. Note that compliant readers should ignore the regular fields when they are overridden. This is important, as existing archivers are known to store non-compliant values in the standard header fields in this situation. There are no limits on length for any of these fields. In particular, numeric fields can be arbitrarily large. All text fields are encoded in UTF8. Compliant writers should store only portable 7-bit ASCII characters in the standard ustar header and use extended attributes whenever a text value contains non-ASCII characters.

In addition to the x entry described above, the pax interchange format also supports a g entry. The g entry is identical in format, but specifies attributes that serve as defaults for all subsequent archive entries. The g entry is not widely used.

Besides the new x and g entries, the pax interchange format has a few other minor variations from the earlier ustar format. The most troubling one is that hardlinks are permitted to have data following them. This allows readers to restore any hardlink to a file without having to rewind the archive to find an earlier entry. However, it creates complications for robust readers, as it is no longer clear whether or not they should ignore the size field for hardlink entries.

The GNU tar program started with a pre-POSIX format similar to that described earlier and has extended it using several different mechanisms: It added new fields to the empty space in the header (some of which was later used by POSIX for conflicting purposes); it allowed the header to be continued over multiple records; and it defined new entries that modify following entries (similar in principle to the x entry described above, but each GNU special entry is single-purpose, unlike the general-purpose x entry). As a result, GNU tar archives are not POSIX compatible, although more lenient POSIX-compliant readers can successfully extract most GNU tar archives.

struct header_gnu_tar {
	char name[100];
	char mode[8];
	char uid[8];
	char gid[8];
	char size[12];
	char mtime[12];
	char checksum[8];
	char typeflag[1];
	char linkname[100];
	char magic[6];
	char version[2];
	char uname[32];
	char gname[32];
	char devmajor[8];
	char devminor[8];
	char atime[12];
	char ctime[12];
	char offset[12];
	char longnames[4];
	char unused[1];
	struct {
		char offset[12];
		char numbytes[12];
	} sparse[4];
	char isextended[1];
	char realsize[12];
	char pad[17];
};
typeflag
GNU tar uses the following special entry types, in addition to those defined by POSIX:
7
GNU tar treats type "7" records identically to type "0" records, except on one obscure RTOS where they are used to indicate the pre-allocation of a contiguous file on disk.
D
This indicates a directory entry. Unlike the POSIX-standard "5" typeflag, the header is followed by data records listing the names of files in this directory. Each name is preceded by an ASCII "Y" if the file is stored in this archive or "N" if the file is not stored in this archive. Each name is terminated with a null, and an extra null marks the end of the name list. The purpose of this entry is to support incremental backups; a program restoring from such an archive may wish to delete files on disk that did not exist in the directory when the archive was made.

Note that the "D" typeflag specifically violates POSIX, which requires that unrecognized typeflags be restored as normal files. In this case, restoring the "D" entry as a file could interfere with subsequent creation of the like-named directory.

K
The data for this entry is a long linkname for the following regular entry.
L
The data for this entry is a long pathname for the following regular entry.
M
This is a continuation of the last file on the previous volume. GNU multi-volume archives guarantee that each volume begins with a valid entry header. To ensure this, a file may be split, with part stored at the end of one volume, and part stored at the beginning of the next volume. The "M" typeflag indicates that this entry continues an existing file. Such entries can only occur as the first or second entry in an archive (the latter only if the first entry is a volume label). The size field specifies the size of this entry. The offset field at bytes 369-380 specifies the offset where this file fragment begins. The realsize field specifies the total size of the file (which must equal size plus offset). When extracting, GNU tar checks that the header file name is the one it is expecting, that the header offset is in the correct sequence, and that the sum of offset and size is equal to realsize.
N
Type "N" records are no longer generated by GNU tar. They contained a list of files to be renamed or symlinked after extraction; this was originally used to support long names. The contents of this record are a text description of the operations to be done, in the form “Rename %s to %s\n” or “Symlink %s to %s\n”; in either case, both filenames are escaped using K&R C syntax. Due to security concerns, "N" records are now generally ignored when reading archives.
S
This is a “sparse” regular file. Sparse files are stored as a series of fragments. The header contains a list of fragment offset/length pairs. If more than four such entries are required, the header is extended as necessary with “extra” header extensions (an older format that is no longer used), or “sparse” extensions.
V
The name field should be interpreted as a tape/volume header name. This entry should generally be ignored on extraction.
magic
The magic field holds the five characters “ustar” followed by a space. Note that POSIX ustar archives have a trailing null.
version
The version field holds a space character followed by a null. Note that POSIX ustar archives use two copies of the ASCII digit “0”.
atime, ctime
The time the file was last accessed and the time of last change of file information, stored in octal as with mtime.
longnames
This field is apparently no longer used.
Sparse offset / numbytes
Each such structure specifies a single fragment of a sparse file. The two fields store values as octal numbers. The fragments are each padded to a multiple of 512 bytes in the archive. On extraction, the list of fragments is collected from the header (including any extension headers), and the data is then read and written to the file at appropriate offsets.
isextended
If this is set to non-zero, the header will be followed by additional “sparse header” records. Each such record contains information about as many as 21 additional sparse blocks as shown here:
struct gnu_sparse_header {
	struct {
		char offset[12];
		char numbytes[12];
	} sparse[21];
	char    isextended[1];
	char    padding[7];
};
realsize
A binary representation of the file's complete size, with a much larger range than the POSIX file size. In particular, with M type files, the current entry is only a portion of the file. In that case, the POSIX size field will indicate the size of this entry; the realsize field will indicate the total size of the file.

GNU tar 1.14 (XXX check this XXX) and later will write pax interchange format archives when you specify the --posix flag. This format follows the pax interchange format closely, using some SCHILY tags and introducing new keywords to store sparse file information. There have been three iterations of the sparse file support, referred to as “0.0”, “0.1”, and “1.0”.

, GNU.sparse.offset, GNU.sparse.numbytes, GNU.sparse.size
The “0.0” format used an initial GNU.sparse.numblocks attribute to indicate the number of blocks in the file, a pair of GNU.sparse.offset and GNU.sparse.numbytes to indicate the offset and size of each block, and a single GNU.sparse.size to indicate the full size of the file. This is not the same as the size in the tar header because the latter value does not include the size of any holes. This format required that the order of attributes be preserved and relied on readers accepting multiple appearances of the same attribute names, which is not officially permitted by the standards.
The “0.1” format used a single attribute that stored a comma-separated list of decimal numbers. Each pair of numbers indicated the offset and size, respectively, of a block of data. This does not work well if the archive is extracted by an archiver that does not recognize this extension, since many pax implementations simply discard unrecognized attributes.
, GNU.sparse.minor, GNU.sparse.name, GNU.sparse.realsize
The “1.0” format stores the sparse block map in one or more 512-byte blocks prepended to the file data in the entry body. The pax attributes indicate the existence of this map (via the GNU.sparse.major and GNU.sparse.minor fields) and the full size of the file. The GNU.sparse.name holds the true name of the file. To avoid confusion, the name stored in the regular tar header is a modified name so that extraction errors will be apparent to users.

XXX More Details Needed XXX

Solaris tar (beginning with SunOS XXX 5.7 ?? XXX) supports an “extended” format that is fundamentally similar to pax interchange format, with the following differences:

  • Extended attributes are stored in an entry whose type is X, not x, as used by pax interchange format. The detailed format of this entry appears to be the same as detailed above for the x entry.
  • An additional A header is used to store an ACL for the following regular entry. The body of this entry contains a seven-digit octal number followed by a zero byte, followed by the textual ACL description. The octal value is the number of ACL entries plus a constant that indicates the ACL type: 01000000 for POSIX.1e ACLs and 03000000 for NFSv4 ACLs.

XXX More details needed XXX

AIX Tar uses a ustar-formatted header with the type A for storing coded ACL information. Unlike the Solaris format, AIX tar writes this header after the regular file body to which it applies. The pathname in this header is either NFS4 or AIXC to indicate the type of ACL stored. The actual ACL is stored in platform-specific binary format.

The tar distributed with Apple's Mac OS X stores most regular files as two separate files in the tar archive. The two files have the same name except that the first one has “._” prepended to the last path element. This special file stores an AppleDouble-encoded binary blob with additional metadata about the second file, including ACL, extended attributes, and resources. To recreate the original file on disk, each separate file can be extracted and the Mac OS X () function can be used to unpack the separate metadata file and apply it to th regular file. Conversely, the same function provides a “pack” option to encode the extended metadata from a file into a separate file whose contents can then be put into a tar archive.

Note that the Apple extended attributes interact badly with long filenames. Since each file is stored with the full name, a separate set of extensions needs to be included in the archive for each one, doubling the overhead required for files with long names.

The following list is a condensed summary of the type codes used in tar header records generated by different tar implementations. More details about specific implementations can be found above:

NUL
Early tar programs stored a zero byte for regular files.
POSIX standard type code for a regular file.
POSIX standard type code for a hard link description.
POSIX standard type code for a symbolic link description.
POSIX standard type code for a character device node.
POSIX standard type code for a block device node.
POSIX standard type code for a directory.
POSIX standard type code for a FIFO.
POSIX reserved.
GNU tar used for pre-allocated files on some systems.
Solaris tar ACL description stored prior to a regular file header.
AIX tar ACL description stored after the file body.
GNU tar directory dump.
GNU tar long linkname for the following header.
GNU tar long pathname for the following header.
GNU tar multivolume marker, indicating the file is a continuation of a file from the previous volume.
GNU tar long filename support. Deprecated.
GNU tar sparse regular file.
GNU tar tape/volume header name.
Solaris tar general-purpose extension header.
POSIX pax interchange format global extensions.
POSIX pax interchange format per-file extensions.

ar(1), pax(1), tar(1)

The tar utility is no longer a part of POSIX or the Single Unix Standard. It last appeared in Version 2 of the Single UNIX Specification (“SUSv2”). It has been supplanted in subsequent standards by pax(1). The ustar format is currently part of the specification for the pax(1) utility. The pax interchange file format is new with IEEE Std 1003.1-2001 (“POSIX.1”).

A tar command appeared in Seventh Edition Unix, which was released in January, 1979. It replaced the tp program from Fourth Edition Unix which in turn replaced the tap program from First Edition Unix. John Gilmore's pdtar public-domain implementation (circa 1987) was highly influential and formed the basis of GNU tar (circa 1988). Joerg Shilling's star archiver is another open-source (CDDL) archiver (originally developed circa 1985) which features complete support for pax interchange format.

This documentation was written as part of the libarchive and bsdtar project by Tim Kientzle ⟨kientzle@FreeBSD.org⟩.

December 27, 2016 macOS 15.2