Merge https://github.com/kubernetes-csi/csi-driver-nfs:master into main

Author: shiftstack-merge-bot

.github/workflows/codeql-analysis.yml

@@ -48,7 +48,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4
+      uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -63,4 +63,4 @@ jobs:
         make all
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4
+      uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4

.github/workflows/trivy.yaml

@@ -16,7 +16,7 @@ jobs:
       - name: Install go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
-          go-version: 1.25.9
+          go-version: 1.25.10
 
       - name: Build an image from Dockerfile
         run: |

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/pborman/uuid v1.2.1
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/goleak v1.3.0
-	google.golang.org/grpc v1.80.0
+	google.golang.org/grpc v1.81.1
 	google.golang.org/protobuf v1.36.11
 	k8s.io/api v0.32.10
 	k8s.io/apimachinery v0.32.10
@@ -118,28 +118,28 @@ require (
 	go.etcd.io/etcd/client/v3 v3.5.16 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
-	go.opentelemetry.io/otel v1.40.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/crypto v0.50.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/mod v0.35.0
-	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/mod v0.36.0
+	golang.org/x/oauth2 v0.36.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.43.0 // indirect
 	golang.org/x/term v0.42.0 // indirect
 	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	golang.org/x/tools v0.44.0 // indirect
 	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260120221211-b8f7ae30c516 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -435,20 +435,20 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.5
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
-go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
-go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ=
-go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
-go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
-go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
-go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
-go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
-go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
-go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
-go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
 go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -496,8 +496,8 @@ golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -522,8 +522,8 @@ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAG
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -623,10 +623,10 @@ google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvx
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY=
 google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo=
-google.golang.org/genproto/googleapis/api v0.0.0-20260120221211-b8f7ae30c516 h1:vmC/ws+pLzWjj/gzApyoZuSVrDtF1aod4u/+bbj8hgM=
-google.golang.org/genproto/googleapis/api v0.0.0-20260120221211-b8f7ae30c516/go.mod h1:p3MLuOwURrGBRoEyFHBT3GjUwaCQVKeNqqWxlcISGdw=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516 h1:sNrWoksmOyF5bvJUcnmbeAmQi8baNhqg5IWaI3llQqU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260120221211-b8f7ae30c516/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 h1:tu/dtnW1o3wfaxCOjSLn5IRX4YDcJrtlpzYkhHhGaC4=
+google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171/go.mod h1:M5krXqk4GhBKvB596udGL3UyjL4I1+cTbK0orROM9ng=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 h1:ggcbiqK8WWh6l1dnltU4BgWGIGo+EVYxCaAPih/zQXQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -635,8 +635,8 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.29.0/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
-google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
+google.golang.org/grpc v1.81.1 h1:VnnIIZ88UzOOKLukQi+ImGz8O1Wdp8nAGGnvOfEIWQQ=
+google.golang.org/grpc v1.81.1/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=

pkg/nfs/tar.go

@@ -25,7 +25,9 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"
+	"time"
 )
 
 func TarPack(srcDirPath string, dstPath string, enableCompression bool) error {
@@ -142,6 +144,17 @@ func TarUnpack(srcPath, dstDirPath string, enableCompression bool) (err error) {
 	if err != nil {
 		return fmt.Errorf("normalizing archive destination path: %w", err)
 	}
+	// Ensure destination exists before resolving, so EvalSymlinks works on all platforms.
+	if mkErr := os.MkdirAll(dstDirPath, 0755); mkErr != nil {
+		return fmt.Errorf("creating destination directory: %w", mkErr)
+	}
+	// Resolve symlinks in dstDirPath itself so containment checks work correctly
+	// on platforms where temp paths are symlinks (e.g., macOS /tmp -> /private/tmp)
+	// or short path names (e.g., Windows RUNNER~1 -> runneradmin).
+	dstDirPath, err = filepath.EvalSymlinks(dstDirPath)
+	if err != nil {
+		return fmt.Errorf("resolving destination path: %w", err)
+	}
 
 	tarFile, err := os.Open(srcPath)
 	if err != nil {
@@ -167,6 +180,15 @@ func TarUnpack(srcPath, dstDirPath string, enableCompression bool) (err error) {
 
 	tarReader := tar.NewReader(tarDst)
 
+	// Collect directory timestamps to restore after all files are written,
+	// because creating files inside a directory updates the directory's mtime.
+	type dirTimestamp struct {
+		path    string
+		modTime time.Time
+		accTime time.Time
+	}
+	var dirTimestamps []dirTimestamp
+
 	for {
 		var tarHeader *tar.Header
 		tarHeader, err = tarReader.Next()
@@ -181,13 +203,38 @@ func TarUnpack(srcPath, dstDirPath string, enableCompression bool) (err error) {
 
 		filePath := filepath.Join(dstDirPath, tarHeader.Name)
 
-		// protect against "Zip Slip"
-		if !strings.HasPrefix(filePath, dstDirPath) {
-			// mimic standard error, which will be returned in future versions of Go by default
-			// more info can be found by "tarinsecurepath" variable name
+		// Robust containment check: use filepath.Rel to prevent prefix collisions
+		// (e.g., dstDirPath="/tmp/out" vs filePath="/tmp/out2/...")
+		var rel string
+		rel, err = filepath.Rel(dstDirPath, filePath)
+		if err != nil || rel == ".." || strings.HasPrefix(rel, ".."+string(os.PathSeparator)) || filepath.IsAbs(rel) {
 			return tar.ErrInsecurePath
 		}
 
+		// Symlink-traversal guard: verify that the real (resolved) parent directory
+		// of filePath is still within dstDirPath. This catches cases where a prior
+		// symlink entry created a link inside dstDirPath that points outside, and a
+		// subsequent entry tries to write through that symlink (e.g., symlink "a" -> /etc
+		// followed by entry "a/passwd").
+		// For directories, check filepath.Dir(filePath) — the existing parent — so that
+		// a symlink "a" followed by "a/b" is caught before MkdirAll creates "b" outside.
+		parentDir := filepath.Dir(filePath)
+		if parentDir != dstDirPath && filePath != dstDirPath {
+			// Walk up to the nearest existing ancestor to handle cases where
+			// parentDir doesn't exist yet but an ancestor symlink escapes.
+			checkDir := parentDir
+			for checkDir != dstDirPath {
+				if realDir, evalErr := filepath.EvalSymlinks(checkDir); evalErr == nil {
+					realDirRel, relErr := filepath.Rel(dstDirPath, realDir)
+					if relErr != nil || realDirRel == ".." || strings.HasPrefix(realDirRel, ".."+string(os.PathSeparator)) || filepath.IsAbs(realDirRel) {
+						return tar.ErrInsecurePath
+					}
+					break
+				}
+				checkDir = filepath.Dir(checkDir)
+			}
+		}
+
 		fileDirPath := filePath
 		if !fileInfo.Mode().IsDir() {
 			fileDirPath = filepath.Dir(fileDirPath)
@@ -198,6 +245,21 @@ func TarUnpack(srcPath, dstDirPath string, enableCompression bool) (err error) {
 		}
 
 		if fileInfo.Mode().IsDir() {
+			// Remove any existing symlink at filePath to prevent MkdirAll
+			// and later Chtimes from following it outside dstDirPath.
+			if existing, lErr := os.Lstat(filePath); lErr == nil && existing.Mode()&fs.ModeSymlink != 0 {
+				if err = os.Remove(filePath); err != nil {
+					return fmt.Errorf("removing symlink before mkdir %s: %w", filePath, err)
+				}
+				if err = os.MkdirAll(filePath, 0755); err != nil {
+					return fmt.Errorf("making directory %s: %w", filePath, err)
+				}
+			}
+			dirTimestamps = append(dirTimestamps, dirTimestamp{
+				path:    filePath,
+				modTime: tarHeader.ModTime,
+				accTime: tarHeader.AccessTime,
+			})
 			continue
 		}
 
@@ -208,21 +270,73 @@ func TarUnpack(srcPath, dstDirPath string, enableCompression bool) (err error) {
 			continue
 		}
 
-		if err = tarUnpackFile(filePath, tarReader, fileInfo); err != nil {
+		// Remove any existing symlink at filePath to prevent following it
+		// when writing a regular file (a malicious tar could plant a symlink
+		// then overwrite it with a regular file entry targeting outside dst).
+		if existing, lErr := os.Lstat(filePath); lErr == nil && existing.Mode()&fs.ModeSymlink != 0 {
+			if err = os.Remove(filePath); err != nil {
+				return fmt.Errorf("removing symlink before file write %s: %w", filePath, err)
+			}
+		}
+
+		if err = tarUnpackFile(filePath, tarReader, tarHeader); err != nil {
 			return fmt.Errorf("unpacking file %s: %w", filePath, err)
 		}
 	}
+
+	// Restore directory timestamps deepest-first so that restoring a parent's
+	// mtime is not undone by a subsequent Chtimes on a child directory.
+	sort.Slice(dirTimestamps, func(i, j int) bool {
+		return strings.Count(dirTimestamps[i].path, string(os.PathSeparator)) >
+			strings.Count(dirTimestamps[j].path, string(os.PathSeparator))
+	})
+	for _, dt := range dirTimestamps {
+		if dt.modTime.IsZero() {
+			continue
+		}
+		accTime := dt.accTime
+		if accTime.IsZero() {
+			accTime = dt.modTime
+		}
+		if err := os.Chtimes(dt.path, accTime, dt.modTime); err != nil {
+			return fmt.Errorf("restoring timestamps for directory %s: %w", dt.path, err)
+		}
+	}
+
+	return nil
+}
+
+func tarUnpackFile(dstFileName string, src io.Reader, header *tar.Header) (err error) {
+	srcFileInfo := header.FileInfo()
+
+	if err = tarWriteFile(dstFileName, src, srcFileInfo); err != nil {
+		return err
+	}
+
+	// Restore original timestamps from tar header after the file is closed,
+	// since some platforms (e.g. Windows) cannot change timestamps on open files.
+	if header.ModTime.IsZero() {
+		return nil
+	}
+	accTime := header.AccessTime
+	if accTime.IsZero() {
+		accTime = header.ModTime
+	}
+	if err = os.Chtimes(dstFileName, accTime, header.ModTime); err != nil {
+		return fmt.Errorf("restoring timestamps for %s: %w", dstFileName, err)
+	}
+
 	return nil
 }
 
-func tarUnpackFile(dstFileName string, src io.Reader, srcFileInfo fs.FileInfo) (err error) {
+func tarWriteFile(dstFileName string, src io.Reader, srcFileInfo fs.FileInfo) (err error) {
 	var dstFile *os.File
-	dstFile, err = os.OpenFile(dstFileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC, srcFileInfo.Mode().Perm())
+	dstFile, err = os.OpenFile(dstFileName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, srcFileInfo.Mode().Perm())
 	if err != nil {
 		return fmt.Errorf("opening destination file %s: %w", dstFileName, err)
 	}
 	defer func() {
-		err = errors.Join(err, closeAndWrapErr(dstFile, "closing destination file %s: %w", dstFile))
+		err = errors.Join(err, closeAndWrapErr(dstFile, "closing destination file %s: %w", dstFileName))
 	}()
 
 	n, err := io.Copy(dstFile, src)

pkg/nfs/tar_test.go

@@ -348,3 +348,58 @@ func TestSymlinks(t *testing.T) {
 		t.Errorf("expected file %s to be: %X, got %X", outputRelSymlinkPath, testContent, data)
 	}
 }
+
+func TestTarUnpackPreservesTimestamps(t *testing.T) {
+	// Create a source directory with known timestamps
+	srcDir := t.TempDir()
+	subDir := filepath.Join(srcDir, "subdir")
+	if err := os.MkdirAll(subDir, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	filePath := filepath.Join(subDir, "testfile.txt")
+	if err := os.WriteFile(filePath, []byte("hello timestamps"), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	// Set known timestamps (2020-06-15 12:00:00 UTC)
+	knownTime := time.Date(2020, 6, 15, 12, 0, 0, 0, time.UTC)
+	if err := os.Chtimes(filePath, knownTime, knownTime); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.Chtimes(subDir, knownTime, knownTime); err != nil {
+		t.Fatal(err)
+	}
+
+	// Pack
+	archivePath := filepath.Join(t.TempDir(), "test.tar.gz")
+	if err := TarPack(srcDir, archivePath, true); err != nil {
+		t.Fatalf("TarPack failed: %v", err)
+	}
+
+	// Unpack
+	dstDir := t.TempDir()
+	if err := TarUnpack(archivePath, dstDir, true); err != nil {
+		t.Fatalf("TarUnpack failed: %v", err)
+	}
+
+	// Verify file timestamp
+	restoredFile := filepath.Join(dstDir, "subdir", "testfile.txt")
+	fi, err := os.Stat(restoredFile)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diff := fi.ModTime().Sub(knownTime); diff < -time.Second || diff > time.Second {
+		t.Errorf("file mtime: got %v, want %v (diff %v)", fi.ModTime(), knownTime, diff)
+	}
+
+	// Verify directory timestamp
+	restoredDir := filepath.Join(dstDir, "subdir")
+	di, err := os.Stat(restoredDir)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if diff := di.ModTime().Sub(knownTime); diff < -time.Second || diff > time.Second {
+		t.Errorf("dir mtime: got %v, want %v (diff %v)", di.ModTime(), knownTime, diff)
+	}
+}