Final Nostr Signer Scoring & Ranking (Sovereignty-First)

Final locked scoring/ranking/analysis for six Nostr signing stacks, evaluated under a Bitcoin/FOSS/privacy maximalist lens plus sovereignty-first operational constraints.

Working set: Amber · Signet · Nostrame · nsecbunkerd · Aegis · Nowser Scoring: 0–100 per criterion Composite: weighted sum Key standards: NIPs · NIP-46 · NIP-55 · NIP-07 · NIP-49

Final Ranking (Composite Scores)

#1
Amber (88.3)
Android dedicated signer emphasizing verifiability and key segregation: GitHub, F-Droid, Releases.
#2
Signet (87.0)
Self-hosted NIP-46 bunker with explicit security model: GitHub, Security doc, nip46-relay.
#3
Nostrame (81.2)
Chromium NIP-07 signer + account manager: GitHub, Chrome Web Store.
Interpretation rule: all six pass the baseline “not garbage” filters. The ranking is purely relative—measuring key exposure, substrate risk, verifiability, and operational blast radius.
Composite formula: Composite = Σ(Weight × CriterionScore) / 100. Weights are defined in Criteria & Weights.

Final Criteria & Weights

Each project is scored 0–100 per criterion. Weights sum to 100% and encode the primary sovereignty-first priorities: minimize key exposure, demand explicit threat models, privilege verifiability, and punish hostile substrates and complexity.

Code Criterion Weight Description Primary references
KEM Key Exposure Model 20% How tightly scoped the nsec is; how many systems ever touch it; compartmentalization feasibility. NIP-46, NIP-55, NIP-07
SEC Security Architecture & Threat Model 18% Explicit threat model; concrete crypto parameters; kill switches; policy controls; sane defaults (not vibes). Signet SECURITY.md, nsecbunkerd SECURITY-MODEL.md, NIP-49
SCV Supply Chain & Verifiability 12% Reproducible builds; signed releases; trustworthy distribution paths (e.g., F-Droid) vs opaque binaries. Amber Releases, Amber on F-Droid
RT Runtime / OS Risk 10% Substrate hostility: hardened Linux server vs Android vs Chromium vs cross-platform “everywhere”. Nostrame (Chromium extension), Amber (Android app)
INFRA Self-Hosting & Infra Control 8% Full control: self-hostable daemons, private networking, no required hosted control planes. Signet, nsecbunkerd, nsecbunker on StartOS
CX Complexity & Blast Radius 8% Moving parts: daemon+DB+UI stacks vs single-purpose apps; complexity punishes misconfig and patch debt. Signet stack (daemon + UI), Nowser (multi-platform)
PRV Privacy & Third-Party Dependence 8% Telemetry, required accounts, hosted dashboards, forced relays, metadata leakage surfaces. Nostrame (local-only model), Amber (no server premise)
LIC License & Forkability 6% Fork and redeploy freedom: permissive licenses score highest; copyleft constraints score lower here. Nostrame (Unlicense), Amber (MIT), Nowser (GPL-3.0)
NIP Nostr Capability & Ecosystem Fit 5% NIP coverage (46/55/07/49, etc.), hardware integration paths, and broad client compatibility. NIP-46, NIP-55, NIP-07, NIP-49
MAT Maturity & Adoption 5% Release cadence, maintenance activity, and real-world usage as a robustness signal. Amber releases, Signet releases (v1.9.0), Nowser releases (v1.4.1)
KEM and SEC dominate by design. SCV is treated as sovereignty-critical (not cosmetic). RT and CX punish hostile substrates and operational sprawl.

Final Score Tables

Per-Criterion Scores (0–100)

Rank Project KEMSECSCVRTINFRACXPRVLICNIPMAT Composite
#1
Amber Android dedicated signer · repo · F-Droid
93869870759094959090 88.3
#2
Signet Self-hosted bunker · repo · SECURITY.md
88967090957090958885 87.0
#3
Nostrame Chromium extension · repo · store
908860607080921009580 81.2
#4
nsecbunkerd Legacy bunker daemon · repo · security model
80806088957080958690 80.5
#5
Aegis Cross-platform signer · repo · releases
83725580907685808870 76.9
#6
Nowser Multi-platform key manager · repo · releases
85755575906585709280 76.6

Quick Notes on the Biggest Differentiators

Amber dominates Supply Chain & Verifiability via F-Droid packaging and a release/verification culture visible in GitHub Releases.
Signet dominates Security Architecture with explicit written controls (JWT, rate limiting, kill switch, inactivity lock) documented in SECURITY.md, aligned with NIP-46 and NIP-49.

Project Profiles (Final, Detailed)

Amber — Android Nostr signer as dedicated NIP-46/55 device (Rank #1 · 88.3)

Primary links: GitHub repo · Releases · F-Droid package · NIP-46 · NIP-55

Composite 88.3 KEM 93 SCV 98 RT 70
  • Design premise: keep the nsec segregated inside a single dedicated Android signer, then use NIP-46 remote signing so other apps never touch the key. The project explicitly frames the smartphone as a signing device without servers or additional hardware (repo).
  • Key exposure profile (KEM 93): key material is concentrated in one signer surface. On Android, integration with the signer-app pattern described by NIP-55 can reduce cross-app key handling (repo).
  • Security posture (SEC 86): while not as formally threat-modeled as Signet, the posture is coherent: no server, NIP-46 signing, and a narrowly-scoped role (repo).
  • Supply chain (SCV 98): top score due to distribution via F-Droid plus an explicit release/verification culture observable in Releases.
  • Runtime substrate (RT 70): Android introduces vendor/ROM/hardware variance. The project’s release notes have discussed device-specific keystore/StrongBox behavior, underscoring substrate variability (Releases).
  • Operational complexity (CX 90): no daemon, no database, no reverse proxy—simplicity favors reduced misconfiguration risk (contrast with remote bunkers).
Net: Amber is the cleanest “device-local signer” model in this set: narrow role, strong verifiability, and an explicit NIP-46 rationale alignment.

Signet — Self-hosted NIP-46 bunker daemon (Rank #2 · 87.0)

Primary links: GitHub repo · SECURITY.md · nip46-relay · NIP-46 · NIP-49

Composite 87.0 SEC 96 INFRA 95 CX 70
  • Design premise: a self-hosted remote signer with separation between signing backend and UI, explicitly positioned as an extensive rewrite of nsecbunkerd (repo).
  • Security architecture (SEC 96): the standout differentiator is explicit written controls documented in SECURITY.md (policy enforcement, authentication patterns, and a coherent threat model framing).
  • Key exposure profile (KEM 88): keys remain in the bunker; client apps submit signing requests over NIP-46. Key encryption aligns with NIP-49 concepts (repo).
  • Infrastructure control (INFRA 95): designed for self-hosting and private networking. Optional companion tooling includes nip46-relay for environments that prefer a dedicated relay path.
  • Supply chain (SCV 70): tagged releases exist (repo), but there is no clear reproducible-build / signed-binary discipline comparable to Amber’s documented release verification (Amber releases).
  • Operational blast radius (CX 70): a bunker daemon + UI stack is inherently more complex than a single-purpose signer app. Correct deployment (private network, port discipline, patching cadence) is mandatory.
Net: Signet is the apex “remote bunker” in this set: explicit security model plus full self-hosting control; complexity is the primary cost.

Nostrame — Chromium NIP-07 signer & account manager (Rank #3 · 81.2)

Primary links: GitHub repo · Chrome Web Store · NIP-07 · NIP-49

Composite 81.2 LIC 100 RT 60 NIP 95
  • Design premise: provide window.nostr (NIP-07) signing so web apps can request signatures without ever receiving the private key (repo).
  • Key exposure profile (KEM 90): the project positions itself as “sign without exposing keys” and includes multi-account management; key encryption and import/export align with NIP-49 concepts (repo).
  • Runtime substrate (RT 60): Chromium extensions inherit a large browser attack surface and store/update channel risk (store listing).
  • License & forkability (LIC 100): released under the Unlicense, maximizing fork freedom and private redeploy potential (repo).
  • Supply chain (SCV 60): source is available, and the extension is distributed via the Chrome Web Store; there is no clear signed/reproducible build pipeline comparable to Amber’s F-Droid path (F-Droid reference point).
  • Capability (NIP 95): broad NIP coverage is advertised in the repository description and feature list, making it a high-compatibility web signer (repo).
Net: strongest “browser-layer signer” in this set; the ranking ceiling is primarily constrained by Chromium substrate risk and supply-chain verifiability limits.

nsecbunkerd — Original bunker daemon (Rank #4 · 80.5)

Primary links: GitHub repo · SECURITY-MODEL.md · StartOS package · NIP-46 context

Composite 80.5 INFRA 95 SEC 80 MAT 90
  • Design premise: a daemon that stores Nostr private keys and signs remotely under policies—an early “bunker” pattern that predates the current consolidation around NIP-46 nomenclature (repo).
  • Security model (SEC 80): a written model exists in SECURITY-MODEL.md, but it is less extensive and less parameterized than Signet’s SECURITY.md.
  • Infrastructure control (INFRA 95): aligns well with self-hosted operator stacks; a packaging example exists for StartOS via nsecbunker-startos.
  • Supply chain (SCV 60): MIT licensed and deployable via Docker, but without a visible signed/reproducible binary discipline in the public repo comparable to Amber’s distribution posture (Amber releases).
  • Maturity (MAT 90): long-lived and widely referenced within the bunker pattern, contributing to battle-testing confidence.
Net: strong legacy bunker that still works; the successor path is clearer in Signet, which explicitly positions itself as a rewrite and ships a more detailed security model.

Aegis — Simple cross-platform signer with multiple connection methods (Rank #5 · 76.9)

Primary links: GitHub repo · Releases · NIP-46 · NIP-55

Composite 76.9 INFRA 90 SCV 55 MAT 70
  • Design premise: “simple and cross-platform” signer with multiple connection methods; the repository explicitly lists support for bunker:// connections and iOS URL scheme redirection (repo).
  • Capability (NIP 88): oriented around NIP-46-style remote signing flows and mobile integration patterns; also references Android signer pathways consistent with NIP-55 usage (repo).
  • Security documentation (SEC 72): the public repo does not present a full threat-model narrative comparable to Signet’s security documentation, reducing the SEC score despite good feature intent.
  • Supply chain (SCV 55): releases exist (releases), but there is no obvious signed/reproducible pipeline discipline in public docs.
  • License (LIC 80): LGPL-3.0 provides openness but is scored below MIT/Unlicense on fork redeploy freedom in this framework (repo).
Net: promising cross-platform signer with good connection surface coverage; the current limiting factor is security-model explicitness and verifiable release rigor.

Nowser — Multi-platform key manager & signer (Rank #6 · 76.6)

Primary links: GitHub repo · Releases · Nesigner (hardware signer) · NIP-46 · NIP-55

Composite 76.6 NIP 92 CX 65 LIC 70
  • Design premise: a multi-platform signing project spanning iOS/Android/macOS/Windows/Linux; the repo lists platform coverage and NIP support (repo).
  • Capability (NIP 92): strong feature footprint: NIP-46 remote signing and Android signer paths consistent with NIP-55 patterns (repo).
  • Hardware integration path: projects under the same maintainer include Nesigner, an ESP32 hardware signer, providing an off-device signing option (useful for shrinking KEM in a layered architecture).
  • Complexity (CX 65): broad platform coverage and multi-mode behavior increases surface area and platform-specific bug risk; this criterion is explicitly penalized in this framework.
  • Supply chain (SCV 55): release binaries exist (releases), but no visible signed/reproducible verification discipline comparable to Amber’s F-Droid + release verification posture (Amber on F-Droid).
  • License (LIC 70): GPL-3.0 is fully open but scored below MIT/Unlicense for fork redeploy flexibility in this rubric (repo).
Net: powerful multi-platform signing environment with a credible hardware extension path; it ranks below the top set primarily due to complexity, substrate breadth, and verifiability posture.

Structural Interpretation (What the Ranking Actually Encodes)

Archetype A — Device-local signer (no servers):
Amber A dedicated Android signer aligns strongly with NIP-46 rationale (“expose keys to as few systems as possible”) and scores highest when verifiability and simplicity are prioritized (repo, F-Droid).
Archetype B — Self-hosted remote bunker:
Signet The apex bunker model when infrastructure discipline is assumed: explicit security doc, private networking posture, and full self-hosting control (repo, SECURITY.md). Complexity is the cost.
Archetype C — Browser-layer signer (web clients):
Nostrame Best-in-set for NIP-07 web signing, but structurally capped by Chromium substrate risk and weaker supply-chain verifiability (repo, store).
Legacy vs successor:
nsecbunkerd remains viable and battle-tested (repo, security model), but Signet explicitly positions itself as the rewrite and carries a more extensive security narrative.
Why Aegis & Nowser land below the top set: both are capable and aligned with remote signing patterns, but this rubric punishes (a) weaker explicit threat modeling in public docs and (b) weaker verifiability stories. Aegis anchors to its cross-platform signer posture (repo); Nowser anchors to multi-platform reach plus hardware extension paths (repo, Nesigner).