Skip to content

Add EVM support to the export-and-sign signing flow#122

Open
t-vila wants to merge 4 commits into
mainfrom
traian/export-and-sign-evm
Open

Add EVM support to the export-and-sign signing flow#122
t-vila wants to merge 4 commits into
mainfrom
traian/export-and-sign-evm

Conversation

@t-vila

@t-vila t-vila commented Jul 6, 2026

Copy link
Copy Markdown

Extends the export-and-sign iframe to sign EVM transactions and messages with an injected private key, alongside the existing Solana support. Signing happens entirely in-memory inside the iframe; key material never reaches the parent page.

  • onSignTransaction — new ETHEREUM branch. Takes a 0x-prefixed serialized unsigned transaction, signs it, and returns the broadcast-ready serialized signed transaction (via viem parseTransaction → account.signTransaction).

  • onSignMessage — new ETHEREUM branch. EIP-191 personal_sign over the UTF-8 message, matching how the Solana path treats messages.

  • New helpers getOrCreateEthereumAccount (lazy + cached, mirrors getOrCreateKeypair) and signEthereumTransaction.

  • Adds viem@2.45.0.

Design note — contract is symmetric with Solana

The EVM path deliberately mirrors the Solana contract: the caller builds and serializes the unsigned transaction with whatever library it likes (ethers/viem/web3/…) and hands the iframe serialized hex; the iframe returns serialized signed hex. This keeps the iframe build-agnostic rather than coupling callers to a specific transaction-object shape.

// EVM
signTransaction(
  { transaction: serializedUnsignedTxHex, type: TransactionType.Ethereum },
  address,
);
// Solana (unchanged)
signTransaction(
  { transaction: serializedTxHex, type: TransactionType.Solana },
  address,
);

A JSON tx-object input form can be added later as a superset (branch on 0x vs {) if we want the ergonomic alternative — not needed now.

No changes to @turnkey/iframe-stamper required: TransactionType.Ethereum / MessageType.Ethereum already exist. loadKeyIntoMemory is untouched — the viem account is derived lazily at sign time, so no keyFormat → curve coupling.

Tests

New EVM Signing suite in index.test.js

  • signs an EVM transaction and asserts the result recovers to the injected key's address
  • signs an EVM message (EIP-191) and asserts it recovers to the injected key's address
  • rejects an unsupported transaction type

Full suite: 39/39 passing, lint clean.

Manual testing using the updated example in tkhq/sdk#1432

@socket-security

socket-security Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedviem@​2.45.09710010097100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant