git get-tar-commit-id

Recover provenance from a tarball produced by git archive.

🎯 What & why

git get-tar-commit-id reads a tar archive on stdin and prints the commit SHA that produced it. Useful for verifying provenance of release tarballs made with git archive.

🧠 Mental model

git archive embeds the source commit ID in a pax extended header inside the tar. This command just digs that field out, no repo needed.

🛠️ Synopsis

git get-tar-commit-id < <tarball.tar>
git archive --format=tar HEAD | git get-tar-commit-id

🎚️ Switches & options

Flag	What it does
`(none)`	Reads tar from stdin; writes 40-char SHA + newline to stdout
`(no flags)`	This command takes no flags or arguments
`exit 1`	Returned if the tar has no embedded commit ID
`works offline`	No repository required to run

💡 Use cases

Verify which commit a release tarball was built from before deploying
Audit third-party source tarballs claimed to come from a specific tag
Build CI checks that reject archives missing commit provenance
Pin reproducible builds back to a known SHA without unpacking

🧪 Examples

Read SHA from a tarball

git get-tar-commit-id < release-1.2.tar

Pipe straight from archive

git archive --format=tar HEAD | git get-tar-commit-id

Verify against a tag

git get-tar-commit-id < dist.tar | grep -q $(git rev-parse v1.2^{})

From a gzipped tarball

gunzip -c release.tar.gz | git get-tar-commit-id

🎓 Recommendations

Always pipe uncompressed tar; gzip/xz tarballs must be decompressed first
Use it in release pipelines as a sanity check that the archive matches the intended commit

🪤 Common pitfalls

Only works on archives created with git archive --format=tar; arbitrary tarballs won't have the field
zip-format archives store the commit ID differently and are not supported here

🔗 Related modules

📝 Quiz

Hit each option, then Check answers. Score is recorded; Next is always open.