TrackerControl builds release APK payloads on Linux so that external rebuilders can reproduce the native Rust libraries. The long-lived Android signing key stays on the release maintainer's Mac and is never uploaded to GitHub Actions.
The release has two stages:
- A numeric tag triggers
.github/workflows/release-build.yml. It performs a clean, unsignedgithubReleasebuild on Ubuntu 22.04 with pinned Android, Rust, cargo-ndk, and Java toolchains. scripts/build_and_sign.shdownloads that exact workflow artifact, checks that its commit matches the tag, signs it locally, verifies the certificate, and creates a draft GitHub release.
Install and authenticate the GitHub CLI, and ensure Android SDK Build Tools are installed:
gh auth login
"$HOME/Library/Android/sdk/cmdline-tools/latest/bin/sdkmanager" \
'build-tools;36.1.0'Place the release keystore at trackercontrol.jks in the repository root. The
path is ignored by Git. A different path can be supplied with
RELEASE_STORE_FILE.
The script expects the alias trackercontrol. Override it with
RELEASE_KEY_ALIAS if necessary.
Store both passwords in macOS Keychain under the service names used by the existing release process:
security add-generic-password -U -a "$USER" \
-s android_keystore_password -w
security add-generic-password -U -a "$USER" \
-s android_key_password -wKeep an offline backup of the keystore and its passwords. The expected public certificate SHA-256 is hard-coded in the script so that the wrong keystore cannot accidentally sign a release.
First update and commit versionCode and versionName in app/build.gradle.
Create and push the numeric release tag:
git tag 2026071301
git push origin 2026071301Wait for Build unsigned GitHub release APK to finish successfully. Then run:
./scripts/build_and_sign.sh 2026071301The script writes the signed APK and verification metadata to
output/release-2026071301/ and creates a draft GitHub release containing:
TrackerControl-githubRelease-latest.apkSHA256SUMS.txtBUILD-INFO.txt
Install and test the APK from the draft, then publish the release in GitHub.
If more than one successful build exists for the same commit, pass the desired Actions run ID explicitly:
./scripts/build_and_sign.sh 2026071301 1234567890The workflow can also be started from the Actions UI with Run workflow and
a tag or commit in the ref input. It still produces only an unsigned artifact;
the signing key remains local.
The local script supports these environment variables:
GH_REPORELEASE_WORKFLOWRELEASE_STORE_FILERELEASE_STORE_PASSWORDRELEASE_KEY_ALIASRELEASE_KEY_PASSWORDRELEASE_CERT_SHA256RELEASE_BUILD_TOOLS_VERSIONRELEASE_OUTPUT_DIR