Skip to content

Releases: forgesworn/cambium

Cambium 0.3.2

Choose a tag to compare

@TheCryptoDonkey TheCryptoDonkey released this 10 Jul 22:50

Polish on the 0.3.1 fixes.

  • The approval sheet now warns live whenever the selected identity differs from the app's existing binding, including when the picker is moved by hand.
  • Activity log writing is a single process-wide writer fed by a non-blocking queue.
  • Queue-shed log lines name which identity's queue is shedding.
  • Faster hex encoding on the request path; build-time guard against a recurring XML-comment pitfall.

Verify before installing (AppVerifier):

dev.forgesworn.cambium
9E:A1:88:EF:A9:01:5F:7E:7F:90:E1:88:8F:58:6F:52:7B:2A:0E:8A:6D:CD:B3:99:1E:41:FB:4F:14:EE:EF:C6

SHA-256 of cambium-0.3.2.apk: 96d76235afef9e306ba2395a4ec4ba17474e6e3d389fa5691648b4938cbecd6c

Cambium 0.3.1

Choose a tag to compare

@TheCryptoDonkey TheCryptoDonkey released this 10 Jul 22:28

Fix release from the completed 0.3.0 review. Recommended update for everyone on 0.3.0.

Fixes

  • A first-time burst of concurrent requests against a newly paired identity could construct duplicate session workers and leak the losers; session creation is now atomic.
  • The approval sheet's identity picker now defaults to the app's existing binding (after a current_user match) instead of the first pairing, and says when a different identity is selected, so a routine re-approval cannot silently rebind an app to another identity.
  • Activity log writes are serialised process-wide and never block the request path; silent cache hits are no longer logged.
  • Removing the last pairing from its row now stops the keep-warm service immediately.
  • Less repeated work per request on the intent path.

Install

Verify before installing (AppVerifier):

dev.forgesworn.cambium
9E:A1:88:EF:A9:01:5F:7E:7F:90:E1:88:8F:58:6F:52:7B:2A:0E:8A:6D:CD:B3:99:1E:41:FB:4F:14:EE:EF:C6

SHA-256 of cambium-0.3.1.apk: ea2436879fa2d12f5a9a75535b1a4994085ca9aa763ee53fff881a07de06f54e

Cambium 0.3.0

Choose a tag to compare

@TheCryptoDonkey TheCryptoDonkey released this 10 Jul 17:37

Multi-identity release. Cambium remains the Android NIP-55 signer that holds no keys: every signature comes from your paired Heartwood hardware signer over NIP-46.

What's in 0.3.0

  • Multiple identities. Pair each Heartwood identity separately (each bunker URI is one identity). Apps bind to an identity when you approve them; NIP-55's current_user (npub or hex) selects the identity per request. Cambium never substitutes identities silently: a request naming an identity it does not hold is refused, and an ambiguous request asks. Each identity gets its own isolated connection, request queue and decrypt cache.
  • Activity log. An on-phone, metadata-only record of signer activity: app, method, event kind, identity, outcome. No event content, plaintext or ciphertext is ever stored. Toggle off or clear at any time.
  • App lock. An optional biometric or device-credential gate on the management screen and approval decisions. Background signing for already-approved apps is never gated.
  • Existing 0.2.x pairings and approvals migrate automatically.

Install

Requires a paired Heartwood signer (pair via Sapwood: Apps, Connect an app, scan the QR). Android 8.1+, no Google Play services.

Verify before installing (AppVerifier):

dev.forgesworn.cambium
9E:A1:88:EF:A9:01:5F:7E:7F:90:E1:88:8F:58:6F:52:7B:2A:0E:8A:6D:CD:B3:99:1E:41:FB:4F:14:EE:EF:C6

SHA-256 of cambium-0.3.0.apk: e0e0204d40e7b2668bb0ef03ef07d7b4aa06980af2e2b109153a76a299229b21

Track updates with Obtainium pointed at this repository.

Cambium 0.2.0

Choose a tag to compare

@TheCryptoDonkey TheCryptoDonkey released this 09 Jul 23:49

First signed release of Cambium: the Android NIP-55 signer that holds no keys. Every signature comes from your paired Heartwood hardware signer over NIP-46.

What's in 0.2.0

  • Private zaps decrypt (decrypt_zap_event, DIP-03 recipient path): Cambium unpacks the zap request's anon tag locally and asks Heartwood for an ordinary nip04_decrypt. Viewing your own sent private zaps needs the raw private key and is permanently out of reach over NIP-46; those attempts fail as a normal decrypt error.
  • Keep connection warm: an optional, off-by-default foreground service holds the signer session between requests, so silent signing skips the reconnect penalty. Survives reboots while enabled.
  • Persistent denial: the approval sheet gains an "always deny this app" action; denied apps get a terminal rejection on every path. A connected-apps list shows every remembered choice with a Forget action.
  • Login transparency: the first-approval sheet shows the permissions a client asked for. Display only: Heartwood's own policy decides what actually gets signed.
  • Decrypt cache and invisible processing: repeat decrypts answer instantly, and requests from approved apps render nothing at all.
  • Hardening: a malformed zap request can no longer crash the provider; back-press and rotation can no longer swallow an in-flight request's result; boot-time work moved off the main thread.

Install

Requires a paired Heartwood signer (pair via Sapwood: Apps, Connect an app, scan the QR). Android 8.1+, no Google Play services.

Verify before installing (AppVerifier):

dev.forgesworn.cambium
9E:A1:88:EF:A9:01:5F:7E:7F:90:E1:88:8F:58:6F:52:7B:2A:0E:8A:6D:CD:B3:99:1E:41:FB:4F:14:EE:EF:C6

SHA-256 of cambium-0.2.0.apk: 318e2b2eb5958a8a58f6c689972fdcbc53d442e486d43535d27e44dafc49d1b7

Track updates with Obtainium pointed at this repository.