CAMBIUM

An Android NIP‑55 signer for Heartwood

The signer that
holds no keys.

Cambium registers as a signer on your phone, but it is not one. Every request — every signature, every decrypt — travels over Nostr relays to your Heartwood hardware signer and is answered there. Compromise the phone and you hold the ability to ask; the answer still comes from hardware, behind its own policy and a physical button.

Android 8.1+  ·  GrapheneOS-first  ·  no Google services  ·  MIT

CLIENTS Amethyst · Primal · Voyage CAMBIUM this app — the living layer RELAYS NIP-46, sealed in NIP-44 HEARTWOOD keys live here, and only here
Fig. 1 — Cross-section of a signing request. The phone is the layer, not the wood.
01

The gap it fills

Amethyst, Primal, Voyage and most other Amber-compatible Android clients cannot log in to a remote NIP‑46 bunker directly. All of them can sign in with any installed NIP‑55 external signer.

Cambium sits between the two: it registers as a signer, translates each NIP‑55 intent into a NIP‑46 request against your Heartwood, and hands the response straight back. The name follows the tree — cambium is the living layer between bark and wood.

02

Security model

Nothing to steal
No user secrets ever touch the phone. Cambium stores the pairing — Heartwood's public key, its relay list, the connection secret — and its own ephemeral NIP‑46 client keypair. The identity key is not here to find.
Encrypted at rest
What little it does store lives in Android Keystore-backed encrypted preferences, never in plain files.
Hardware is the authority
Per-app approval on the phone is a convenience filter. Heartwood's own policy engine and physical confirmation button decide what actually gets signed — Cambium can refuse on its behalf, never grant.
Sealed in transit
Every NIP‑46 payload is NIP‑44-encrypted end to end. Relays route envelopes; they read nothing.
03

What's inside

04

Pairing takes a minute

  1. i

    Install Cambium on your phone.

  2. ii

    In Sapwood, choose Connect an app and name it. It shows a bunker:// URI as a QR code.

  3. iii

    In Cambium, scan it — a successful scan pairs immediately. No camera? Paste the URI text instead; the camera is never required.

  4. iv

    In any Amber-compatible client, log in with an external signer and pick Cambium. Approve the app once; every signature still comes from your hardware.

Honest numbers: a signature is one relay round trip — roughly half a second to a couple of seconds, depending on your relays. Repeat decrypts skip the trip entirely.

05

Install, then verify

Download the signed APK from GitHub Releases, or point Obtainium at the repository for automatic update tracking. Before installing, check the signing certificate with AppVerifier:

dev.forgesworn.cambium
9E:A1:88:EF:A9:01:5F:7E:7F:90:E1:88:8F:58:6F:52:
7B:2A:0E:8A:6D:CD:B3:99:1E:41:FB:4F:14:EE:EF:C6

Releases before 0.2.0 were never published; the 0.2.0 key is the trust root.

§

The whole tree