Releases: forgesworn/cambium
Release list
Cambium 0.3.2
Polish on the 0.3.1 fixes.
- The approval sheet now warns live whenever the selected identity differs from the app's existing binding, including when the picker is moved by hand.
- Activity log writing is a single process-wide writer fed by a non-blocking queue.
- Queue-shed log lines name which identity's queue is shedding.
- Faster hex encoding on the request path; build-time guard against a recurring XML-comment pitfall.
Verify before installing (AppVerifier):
dev.forgesworn.cambium
9E:A1:88:EF:A9:01:5F:7E:7F:90:E1:88:8F:58:6F:52:7B:2A:0E:8A:6D:CD:B3:99:1E:41:FB:4F:14:EE:EF:C6
SHA-256 of cambium-0.3.2.apk: 96d76235afef9e306ba2395a4ec4ba17474e6e3d389fa5691648b4938cbecd6c
Cambium 0.3.1
Fix release from the completed 0.3.0 review. Recommended update for everyone on 0.3.0.
Fixes
- A first-time burst of concurrent requests against a newly paired identity could construct duplicate session workers and leak the losers; session creation is now atomic.
- The approval sheet's identity picker now defaults to the app's existing binding (after a
current_usermatch) instead of the first pairing, and says when a different identity is selected, so a routine re-approval cannot silently rebind an app to another identity. - Activity log writes are serialised process-wide and never block the request path; silent cache hits are no longer logged.
- Removing the last pairing from its row now stops the keep-warm service immediately.
- Less repeated work per request on the intent path.
Install
Verify before installing (AppVerifier):
dev.forgesworn.cambium
9E:A1:88:EF:A9:01:5F:7E:7F:90:E1:88:8F:58:6F:52:7B:2A:0E:8A:6D:CD:B3:99:1E:41:FB:4F:14:EE:EF:C6
SHA-256 of cambium-0.3.1.apk: ea2436879fa2d12f5a9a75535b1a4994085ca9aa763ee53fff881a07de06f54e
Cambium 0.3.0
Multi-identity release. Cambium remains the Android NIP-55 signer that holds no keys: every signature comes from your paired Heartwood hardware signer over NIP-46.
What's in 0.3.0
- Multiple identities. Pair each Heartwood identity separately (each bunker URI is one identity). Apps bind to an identity when you approve them; NIP-55's
current_user(npub or hex) selects the identity per request. Cambium never substitutes identities silently: a request naming an identity it does not hold is refused, and an ambiguous request asks. Each identity gets its own isolated connection, request queue and decrypt cache. - Activity log. An on-phone, metadata-only record of signer activity: app, method, event kind, identity, outcome. No event content, plaintext or ciphertext is ever stored. Toggle off or clear at any time.
- App lock. An optional biometric or device-credential gate on the management screen and approval decisions. Background signing for already-approved apps is never gated.
- Existing 0.2.x pairings and approvals migrate automatically.
Install
Requires a paired Heartwood signer (pair via Sapwood: Apps, Connect an app, scan the QR). Android 8.1+, no Google Play services.
Verify before installing (AppVerifier):
dev.forgesworn.cambium
9E:A1:88:EF:A9:01:5F:7E:7F:90:E1:88:8F:58:6F:52:7B:2A:0E:8A:6D:CD:B3:99:1E:41:FB:4F:14:EE:EF:C6
SHA-256 of cambium-0.3.0.apk: e0e0204d40e7b2668bb0ef03ef07d7b4aa06980af2e2b109153a76a299229b21
Track updates with Obtainium pointed at this repository.
Cambium 0.2.0
First signed release of Cambium: the Android NIP-55 signer that holds no keys. Every signature comes from your paired Heartwood hardware signer over NIP-46.
What's in 0.2.0
- Private zaps decrypt (
decrypt_zap_event, DIP-03 recipient path): Cambium unpacks the zap request'sanontag locally and asks Heartwood for an ordinary nip04_decrypt. Viewing your own sent private zaps needs the raw private key and is permanently out of reach over NIP-46; those attempts fail as a normal decrypt error. - Keep connection warm: an optional, off-by-default foreground service holds the signer session between requests, so silent signing skips the reconnect penalty. Survives reboots while enabled.
- Persistent denial: the approval sheet gains an "always deny this app" action; denied apps get a terminal rejection on every path. A connected-apps list shows every remembered choice with a Forget action.
- Login transparency: the first-approval sheet shows the permissions a client asked for. Display only: Heartwood's own policy decides what actually gets signed.
- Decrypt cache and invisible processing: repeat decrypts answer instantly, and requests from approved apps render nothing at all.
- Hardening: a malformed zap request can no longer crash the provider; back-press and rotation can no longer swallow an in-flight request's result; boot-time work moved off the main thread.
Install
Requires a paired Heartwood signer (pair via Sapwood: Apps, Connect an app, scan the QR). Android 8.1+, no Google Play services.
Verify before installing (AppVerifier):
dev.forgesworn.cambium
9E:A1:88:EF:A9:01:5F:7E:7F:90:E1:88:8F:58:6F:52:7B:2A:0E:8A:6D:CD:B3:99:1E:41:FB:4F:14:EE:EF:C6
SHA-256 of cambium-0.2.0.apk: 318e2b2eb5958a8a58f6c689972fdcbc53d442e486d43535d27e44dafc49d1b7
Track updates with Obtainium pointed at this repository.