TrackerControl allows you to monitor and control the widespread, ongoing, hidden data collection in mobile apps about user behaviour (tracking).
View the Project on GitHub TrackerControl/tracker-control-android
TrackerControl builds release APK payloads on Linux so that external rebuilders can reproduce the native Rust libraries. The long-lived Android signing key stays on the release maintainer’s Mac and is never uploaded to GitHub Actions.
The release has two stages:
.github/workflows/release-build.yml. It performs a
clean, unsigned githubRelease build on Ubuntu 22.04 with pinned Android,
Rust, cargo-ndk, and Java toolchains.scripts/build_and_sign.sh downloads that exact workflow artifact, checks
that its commit matches the tag, signs it locally, verifies the certificate,
and creates a draft GitHub release.Install and authenticate the GitHub CLI, and ensure Android SDK Build Tools are installed:
gh auth login
"$HOME/Library/Android/sdk/cmdline-tools/latest/bin/sdkmanager" \
'build-tools;36.1.0'
Place the release keystore at trackercontrol.jks in the repository root. The
path is ignored by Git. A different path can be supplied with
RELEASE_STORE_FILE.
The script expects the alias trackercontrol. Override it with
RELEASE_KEY_ALIAS if necessary.
Store both passwords in macOS Keychain under the service names used by the existing release process:
security add-generic-password -U -a "$USER" \
-s android_keystore_password -w
security add-generic-password -U -a "$USER" \
-s android_key_password -w
Keep an offline backup of the keystore and its passwords. The expected public certificate SHA-256 is hard-coded in the script so that the wrong keystore cannot accidentally sign a release.
First update and commit versionCode and versionName in app/build.gradle.
Create and push the numeric release tag:
git tag 2026071301
git push origin 2026071301
Wait for Build unsigned GitHub release APK to finish successfully. Then run:
./scripts/build_and_sign.sh 2026071301
The script writes the signed APK and verification metadata to
output/release-2026071301/ and creates a draft GitHub release containing:
TrackerControl-githubRelease-latest.apkSHA256SUMS.txtBUILD-INFO.txtInstall and test the APK from the draft, then publish the release in GitHub.
If more than one successful build exists for the same commit, pass the desired Actions run ID explicitly:
./scripts/build_and_sign.sh 2026071301 1234567890
The workflow can also be started from the Actions UI with Run workflow and
a tag or commit in the ref input. It still produces only an unsigned artifact;
the signing key remains local.
The local script supports these environment variables:
GH_REPORELEASE_WORKFLOWRELEASE_STORE_FILERELEASE_STORE_PASSWORDRELEASE_KEY_ALIASRELEASE_KEY_PASSWORDRELEASE_CERT_SHA256RELEASE_BUILD_TOOLS_VERSIONRELEASE_OUTPUT_DIR