SeedSigner

SeedSigner turns a handful of commodity parts — a Raspberry Pi Zero, a camera module, and a tiny screen — into a stateless, air-gapped Bitcoin signing device that never persists a private key. It is less a product than a recipe: open-source firmware you flash yourself onto hardware you assemble for the price of a few coffees.

Background SeedSigner began as a community project to make air-gapped, multisig-grade signing accessible to anyone, without trusting a single vendor's supply chain. There is no company, no serial number, and no proprietary secure element — the threat model is deliberately built around the assumption that you do not need to trust the manufacturer because you are the manufacturer. Firmware is developed in the open on GitHub and verified by reproducible builds.

What you trust You trust the open-source firmware (which you can read and build), the off-the-shelf parts you sourced, and the QR-code airgap between the signer and your coordinator. You do not trust persistent storage: the device is stateless by design, so a seized or lost SeedSigner reveals nothing — there is no seed on it to extract.

Operational specs Bitcoin-only. The signer holds no keys between sessions; you re-enter your seed (or restore from a SeedQR) each time you sign, then power-cycle to wipe it from memory. All communication with your wallet coordinator (Sparrow, Specter, Nunchuk, etc.) happens via QR codes — no USB, no Bluetooth, no network interface of any kind. Strong support for multisig and passphrase (BIP39) workflows. Entropy can be generated from dice or coin flips for the paranoid.

Philosophy SeedSigner is an expression of the "don't trust, verify — and build it yourself" ethos. By removing the vendor from the trust equation entirely, it sidesteps an entire class of supply-chain and firmware-backdoor risks that even reputable hardware wallets cannot fully rule out. Statelessness is the point: the safest secret is the one that was never written down inside the device.

Grade rationale Grade A. Fully open, reproducibly built, no persistent attack surface, and a credible answer to supply-chain distrust. The DIY assembly and Bitcoin-only scope keep it from being a universal recommendation, but for its intended use — verifiable, vendor-trustless signing — it is best-in-class.

Useful when You want air-gapped multisig without trusting a hardware vendor; you are comfortable assembling and flashing a device; you value statelessness over convenience; you are building a self-custody setup where the signer should reveal nothing if seized.

Caveats Bitcoin-only — no Monero or altcoin signing. Assembly and firmware verification require some technical confidence. Re-entering the seed each session is friction by design, not a bug. The screen and input are minimal; this is a tool for deliberate, careful signing, not casual daily spending.