evm-kms-signer 1.0.1 → 1.1.0

package/README.md

@@ -1,16 +1,17 @@
 # evm-kms-signer
 
-A TypeScript library that integrates AWS KMS (Key Management Service) with [viem](https://viem.sh) to create secure Ethereum signers. This allows you to sign Ethereum transactions and messages using keys stored in AWS KMS, providing enterprise-grade security for your Ethereum operations.
+A TypeScript library that integrates AWS/GCP KMS (Key Management Service) with [viem](https://viem.sh) to create secure Ethereum signers. This allows you to sign Ethereum transactions and messages using keys stored in AWS or GCP KMS, providing enterprise-grade security for your Ethereum operations.
 
 ## Features
 
 - **AWS KMS Integration**: Sign Ethereum transactions using keys securely stored in AWS KMS
+- **GCP KMS Support**: Also supports Google Cloud Platform KMS for multi-cloud deployments
 - **Full EIP Compliance**: Supports EIP-191 (personal messages), EIP-712 (typed data), EIP-155 (replay protection), EIP-2 (signature normalization)
 - **Type-Safe**: Built with TypeScript in strict mode with comprehensive type definitions
 - **viem Compatible**: Seamlessly integrates with viem's Account system via `toAccount`
-- **DER Signature Parsing**: Automatically converts AWS KMS DER-encoded signatures to Ethereum format
+- **DER Signature Parsing**: Automatically converts AWS/GCP KMS DER-encoded signatures to Ethereum format
 - **Comprehensive Error Handling**: Custom error classes for better debugging
-- **Well-Tested**: 51 tests covering all functionality with 100% type safety
+- **Well-Tested**: 169 tests covering all functionality with 100% type safety
 
 ## Installation
 
@@ -30,9 +31,11 @@ Or with yarn:
 yarn add evm-kms-signer
 ```
 
-## Prerequisites
+## Usage
 
-### AWS KMS Key Setup
+### AWS KMS
+
+#### Prerequisites
 
 1. **Create an ECC Key in AWS KMS**:
    - Go to AWS KMS Console
@@ -50,7 +53,7 @@ yarn add evm-kms-signer
 3. **Note Your Key ID**:
    Copy the Key ARN or Key ID for use in your application.
 
-### Environment Variables
+#### Environment Variables
 
 Create a `.env` file in your project root:
 
@@ -63,9 +66,7 @@ AWS_ACCESS_KEY_ID=your_access_key
 AWS_SECRET_ACCESS_KEY=your_secret_key
 ```
 
-## Quick Start
-
-### Signing a Message
+#### Basic Usage
 
 ```typescript
 import 'dotenv/config'
@@ -93,7 +94,7 @@ async function main() {
 main().catch(console.error)
 ```
 
-### Sending a Transaction
+#### Use with viem
 
 ```typescript
 import 'dotenv/config'
@@ -130,6 +131,63 @@ async function main() {
 main().catch(console.error)
 ```
 
+### GCP KMS
+
+#### Prerequisites
+
+1. **Create a KMS key ring and crypto key in GCP Console**:
+   - Go to Google Cloud Console → Security → Key Management
+   - Create a new key ring in your desired location
+   - Create a crypto key with purpose "Asymmetric sign"
+   - Choose **Elliptic Curve P-256 - SHA256 Digest** algorithm (secp256k1 for Ethereum)
+
+2. **Grant Permissions**:
+   Grant `roles/cloudkms.cryptoKeySignerVerifier` permission to your service account:
+   ```bash
+   gcloud kms keys add-iam-policy-binding KEY_ID \
+     --location=LOCATION \
+     --keyring=KEYRING_ID \
+     --member=serviceAccount:SERVICE_ACCOUNT_EMAIL \
+     --role=roles/cloudkms.cryptoKeySignerVerifier
+   ```
+
+3. **Set up authentication**:
+   - Set `GOOGLE_APPLICATION_CREDENTIALS` environment variable pointing to your service account key file, or
+   - Pass `keyFilename` in config
+
+#### Basic Usage
+
+```typescript
+import { GcpSigner } from 'evm-kms-signer';
+
+const signer = new GcpSigner({
+  projectId: 'your-project-id',
+  locationId: 'global',
+  keyRingId: 'your-keyring-id',
+  keyId: 'your-key-id',
+  keyVersion: '1',
+  keyFilename: '/path/to/service-account-key.json', // optional
+});
+
+const address = await signer.getAddress();
+const signature = await signer.signMessage({ message: 'Hello!' });
+```
+
+#### Use with viem
+
+```typescript
+import { createWalletClient, http } from 'viem';
+import { mainnet } from 'viem/chains';
+import { toGcpKmsAccount } from 'evm-kms-signer';
+
+const account = await toGcpKmsAccount(signer);
+const client = createWalletClient({
+  account,
+  chain: mainnet,
+  transport: http(),
+});
+```
+
 ## API Documentation
 
 ### `KmsSigner`
@@ -302,4 +360,5 @@ Contributions are welcome! Please feel free to submit a Pull Request.
 
 - Built with [viem](https://viem.sh) - Modern TypeScript Ethereum library
 - Uses [AWS SDK for JavaScript v3](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/)
+- Uses [Google Cloud KMS Client Library](https://cloud.google.com/nodejs/docs/reference/kms/latest)
 - Inspired by the need for secure key management in Ethereum applications

package/dist/account.d.ts

@@ -1,4 +1,5 @@
 import type { LocalAccount } from 'viem';
+import type { GcpSigner } from './gcp/signer';
 import type { KmsSigner } from './kms/signer';
 /**
  * Create a viem Account from KmsSigner.
@@ -22,4 +23,32 @@ import type { KmsSigner } from './kms/signer';
  * ```
  */
 export declare function toKmsAccount(signer: KmsSigner): Promise<LocalAccount>;
+/**
+ * Create a viem Account from GcpSigner.
+ *
+ * Wraps GcpSigner methods to match viem's Account interface,
+ * enabling use with viem clients (walletClient, etc.)
+ *
+ * @param signer - GcpSigner instance
+ * @returns viem Account with GCP KMS signing capabilities
+ *
+ * @example
+ * ```typescript
+ * const signer = new GcpSigner({
+ *   projectId: 'my-project',
+ *   locationId: 'global',
+ *   keyRingId: 'my-keyring',
+ *   keyId: 'my-key',
+ *   keyVersion: '1'
+ * })
+ * const account = await toGcpKmsAccount(signer)
+ *
+ * const client = createWalletClient({
+ *   account,
+ *   chain: mainnet,
+ *   transport: http()
+ * })
+ * ```
+ */
+export declare function toGcpKmsAccount(signer: GcpSigner): Promise<LocalAccount>;
 //# sourceMappingURL=account.d.ts.map

package/dist/account.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account.d.ts","sourceRoot":"","sources":["../src/account.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,MAAM,CAAC;AAEzC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAE9C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,YAAY,CAAC,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC,YAAY,CAAC,CAe3E"}
+{"version":3,"file":"account.d.ts","sourceRoot":"","sources":["../src/account.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,MAAM,CAAC;AAEzC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAE9C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,YAAY,CAAC,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC,YAAY,CAAC,CAe3E;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,eAAe,CACpC,MAAM,EAAE,SAAS,GACf,OAAO,CAAC,YAAY,CAAC,CAevB"}

package/dist/account.js

@@ -33,4 +33,44 @@ export async function toKmsAccount(signer) {
         signTypedData: async (typedData) => signer.signTypedData(typedData),
     });
 }
+/**
+ * Create a viem Account from GcpSigner.
+ *
+ * Wraps GcpSigner methods to match viem's Account interface,
+ * enabling use with viem clients (walletClient, etc.)
+ *
+ * @param signer - GcpSigner instance
+ * @returns viem Account with GCP KMS signing capabilities
+ *
+ * @example
+ * ```typescript
+ * const signer = new GcpSigner({
+ *   projectId: 'my-project',
+ *   locationId: 'global',
+ *   keyRingId: 'my-keyring',
+ *   keyId: 'my-key',
+ *   keyVersion: '1'
+ * })
+ * const account = await toGcpKmsAccount(signer)
+ *
+ * const client = createWalletClient({
+ *   account,
+ *   chain: mainnet,
+ *   transport: http()
+ * })
+ * ```
+ */
+export async function toGcpKmsAccount(signer) {
+    const address = await signer.getAddress();
+    return toAccount({
+        address,
+        signMessage: async ({ message }) => {
+            // Convert SignableMessage to string for GcpSigner
+            const messageStr = typeof message === 'string' ? message : message.raw.toString();
+            return signer.signMessage({ message: messageStr });
+        },
+        signTransaction: async (transaction, options) => signer.signTransaction(transaction, options),
+        signTypedData: async (typedData) => signer.signTypedData(typedData),
+    });
+}
 //# sourceMappingURL=account.js.map

package/dist/account.js.map

@@ -1 +1 @@
-{"version":3,"file":"account.js","sourceRoot":"","sources":["../src/account.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAG1C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAAiB;IACnD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;IAE1C,OAAO,SAAS,CAAC;QAChB,OAAO;QACP,WAAW,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;YAClC,kDAAkD;YAClD,MAAM,UAAU,GACf,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAChE,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;QACpD,CAAC;QACD,eAAe,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,CAC/C,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,OAAO,CAAC;QAC7C,aAAa,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC;KACnE,CAAC,CAAC;AACJ,CAAC"}
+{"version":3,"file":"account.js","sourceRoot":"","sources":["../src/account.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAI1C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAAiB;IACnD,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;IAE1C,OAAO,SAAS,CAAC;QAChB,OAAO;QACP,WAAW,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;YAClC,kDAAkD;YAClD,MAAM,UAAU,GACf,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAChE,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;QACpD,CAAC;QACD,eAAe,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,CAC/C,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,OAAO,CAAC;QAC7C,aAAa,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC;KACnE,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACpC,MAAiB;IAEjB,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;IAE1C,OAAO,SAAS,CAAC;QAChB,OAAO;QACP,WAAW,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;YAClC,kDAAkD;YAClD,MAAM,UAAU,GACf,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAChE,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;QACpD,CAAC;QACD,eAAe,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,CAC/C,MAAM,CAAC,eAAe,CAAC,WAAW,EAAE,OAAO,CAAC;QAC7C,aAAa,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC;KACnE,CAAC,CAAC;AACJ,CAAC"}

package/dist/gcp/client.d.ts

@@ -0,0 +1,91 @@
+import type { GcpKmsConfig } from '../types';
+/**
+ * GcpClient wraps GCP KMS SDK operations for key management and signing.
+ *
+ * This class provides a simplified interface to GCP KMS for:
+ * - Retrieving public keys from KMS
+ * - Signing message digests with KMS-stored private keys
+ *
+ * @example
+ * ```typescript
+ * const client = new GcpClient({
+ *   projectId: 'my-project',
+ *   locationId: 'global',
+ *   keyRingId: 'my-keyring',
+ *   keyId: 'my-key',
+ *   keyVersion: '1'
+ * })
+ *
+ * const publicKey = await client.getPublicKey()
+ * const signature = await client.sign(messageHash)
+ * ```
+ */
+export declare class GcpClient {
+    private client;
+    private keyName;
+    /**
+     * Creates a new GCP KMS client instance.
+     *
+     * @param config - GCP KMS configuration including project, location, key ring, key, and version
+     *
+     * @remarks
+     * If keyFilename is not provided, the GCP SDK will use the default credential provider chain:
+     * - GOOGLE_APPLICATION_CREDENTIALS environment variable
+     * - Application Default Credentials (ADC)
+     * - Service account attached to the compute resource
+     */
+    constructor(config: GcpKmsConfig);
+    /**
+     * Retrieves the public key from GCP KMS.
+     *
+     * @returns The public key in DER-encoded SubjectPublicKeyInfo (SPKI) format
+     * @throws {KmsClientError} If the KMS API call fails or returns no public key
+     *
+     * @remarks
+     * GCP KMS returns the public key in PEM format, which is converted to DER format.
+     * The returned public key is in SPKI format with a variable-length DER header.
+     * The last 65 bytes contain the uncompressed secp256k1 public key (0x04 + x + y).
+     */
+    getPublicKey(): Promise<Uint8Array>;
+    /**
+     * Signs a message hash using the GCP KMS-stored private key.
+     *
+     * @param messageHash - The pre-hashed message to sign (32 bytes for keccak256)
+     * @returns The signature in DER-encoded format (SEQUENCE { INTEGER r, INTEGER s })
+     * @throws {KmsClientError} If the KMS API call fails or returns no signature
+     *
+     * @remarks
+     * - The messageHash should already be hashed (e.g., with keccak256)
+     * - GCP KMS uses EC_SIGN_SECP256K1_SHA256 algorithm for signing
+     * - The returned signature is DER-encoded and needs to be parsed to extract r and s values
+     */
+    sign(messageHash: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Converts PEM-encoded data to DER-encoded format.
+     *
+     * @param pem - PEM-encoded public key string
+     * @returns DER-encoded public key as Uint8Array
+     * @throws {KmsClientError} If PEM format is invalid
+     *
+     * @remarks
+     * PEM format consists of:
+     * - Header line: -----BEGIN PUBLIC KEY-----
+     * - Base64-encoded DER data
+     * - Footer line: -----END PUBLIC KEY-----
+     *
+     * This method extracts the Base64 data and decodes it to DER format.
+     */
+    private pemToDer;
+    /**
+     * Calculates CRC32C checksum for data integrity verification.
+     *
+     * @param data - Data to calculate checksum for
+     * @returns CRC32C checksum as number
+     *
+     * @remarks
+     * GCP KMS requires CRC32C checksums for request/response integrity verification.
+     * This is a simple implementation using a lookup table.
+     */
+    private calculateCrc32c;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/gcp/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/gcp/client.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAE7C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,SAAS;IACrB,OAAO,CAAC,MAAM,CAA6B;IAC3C,OAAO,CAAC,OAAO,CAAS;IAExB;;;;;;;;;;OAUG;gBACS,MAAM,EAAE,YAAY;IAUhC;;;;;;;;;;OAUG;IACG,YAAY,IAAI,OAAO,CAAC,UAAU,CAAC;IAqBzC;;;;;;;;;;;OAWG;IACG,IAAI,CAAC,WAAW,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAqDxD;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,QAAQ;IAkBhB;;;;;;;;;OASG;IACH,OAAO,CAAC,eAAe;CAkBvB"}

package/dist/gcp/client.js

@@ -0,0 +1,179 @@
+import { KeyManagementServiceClient } from '@google-cloud/kms';
+import { KmsClientError } from '../errors';
+/**
+ * GcpClient wraps GCP KMS SDK operations for key management and signing.
+ *
+ * This class provides a simplified interface to GCP KMS for:
+ * - Retrieving public keys from KMS
+ * - Signing message digests with KMS-stored private keys
+ *
+ * @example
+ * ```typescript
+ * const client = new GcpClient({
+ *   projectId: 'my-project',
+ *   locationId: 'global',
+ *   keyRingId: 'my-keyring',
+ *   keyId: 'my-key',
+ *   keyVersion: '1'
+ * })
+ *
+ * const publicKey = await client.getPublicKey()
+ * const signature = await client.sign(messageHash)
+ * ```
+ */
+export class GcpClient {
+    /**
+     * Creates a new GCP KMS client instance.
+     *
+     * @param config - GCP KMS configuration including project, location, key ring, key, and version
+     *
+     * @remarks
+     * If keyFilename is not provided, the GCP SDK will use the default credential provider chain:
+     * - GOOGLE_APPLICATION_CREDENTIALS environment variable
+     * - Application Default Credentials (ADC)
+     * - Service account attached to the compute resource
+     */
+    constructor(config) {
+        this.client = new KeyManagementServiceClient(config.keyFilename ? { keyFilename: config.keyFilename } : {});
+        // Construct the full key resource name
+        // Format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{key}/cryptoKeyVersions/{version}
+        this.keyName = `projects/${config.projectId}/locations/${config.locationId}/keyRings/${config.keyRingId}/cryptoKeys/${config.keyId}/cryptoKeyVersions/${config.keyVersion}`;
+    }
+    /**
+     * Retrieves the public key from GCP KMS.
+     *
+     * @returns The public key in DER-encoded SubjectPublicKeyInfo (SPKI) format
+     * @throws {KmsClientError} If the KMS API call fails or returns no public key
+     *
+     * @remarks
+     * GCP KMS returns the public key in PEM format, which is converted to DER format.
+     * The returned public key is in SPKI format with a variable-length DER header.
+     * The last 65 bytes contain the uncompressed secp256k1 public key (0x04 + x + y).
+     */
+    async getPublicKey() {
+        try {
+            const [publicKey] = await this.client.getPublicKey({
+                name: this.keyName,
+            });
+            if (!publicKey.pem) {
+                throw new KmsClientError('No public key returned from GCP KMS');
+            }
+            // Convert PEM to DER format
+            return this.pemToDer(publicKey.pem);
+        }
+        catch (error) {
+            if (error instanceof KmsClientError)
+                throw error;
+            throw new KmsClientError(`Failed to get public key from GCP KMS: ${error instanceof Error ? error.message : 'Unknown error'}`, error instanceof Error ? error : undefined);
+        }
+    }
+    /**
+     * Signs a message hash using the GCP KMS-stored private key.
+     *
+     * @param messageHash - The pre-hashed message to sign (32 bytes for keccak256)
+     * @returns The signature in DER-encoded format (SEQUENCE { INTEGER r, INTEGER s })
+     * @throws {KmsClientError} If the KMS API call fails or returns no signature
+     *
+     * @remarks
+     * - The messageHash should already be hashed (e.g., with keccak256)
+     * - GCP KMS uses EC_SIGN_SECP256K1_SHA256 algorithm for signing
+     * - The returned signature is DER-encoded and needs to be parsed to extract r and s values
+     */
+    async sign(messageHash) {
+        try {
+            // Create CRC32C checksum for message integrity
+            const crc32c = this.calculateCrc32c(messageHash);
+            const [response] = await this.client.asymmetricSign({
+                name: this.keyName,
+                digest: {
+                    sha256: messageHash,
+                },
+                digestCrc32c: {
+                    value: crc32c,
+                },
+            });
+            if (!response.signature) {
+                throw new KmsClientError('No signature returned from GCP KMS');
+            }
+            // Convert signature to Uint8Array
+            const signatureBytes = typeof response.signature === 'string'
+                ? Buffer.from(response.signature, 'base64')
+                : response.signature instanceof Buffer
+                    ? response.signature
+                    : new Uint8Array(response.signature);
+            // Verify the signature CRC32C if provided
+            if (response.signatureCrc32c && response.verifiedDigestCrc32c) {
+                const signatureCrc32c = this.calculateCrc32c(signatureBytes instanceof Buffer
+                    ? new Uint8Array(signatureBytes)
+                    : signatureBytes);
+                if (signatureCrc32c !== Number(response.signatureCrc32c.value)) {
+                    throw new KmsClientError('Signature CRC32C verification failed - data may be corrupted');
+                }
+            }
+            return signatureBytes instanceof Buffer
+                ? new Uint8Array(signatureBytes)
+                : signatureBytes;
+        }
+        catch (error) {
+            if (error instanceof KmsClientError)
+                throw error;
+            throw new KmsClientError(`Failed to sign with GCP KMS: ${error instanceof Error ? error.message : 'Unknown error'}`, error instanceof Error ? error : undefined);
+        }
+    }
+    /**
+     * Converts PEM-encoded data to DER-encoded format.
+     *
+     * @param pem - PEM-encoded public key string
+     * @returns DER-encoded public key as Uint8Array
+     * @throws {KmsClientError} If PEM format is invalid
+     *
+     * @remarks
+     * PEM format consists of:
+     * - Header line: -----BEGIN PUBLIC KEY-----
+     * - Base64-encoded DER data
+     * - Footer line: -----END PUBLIC KEY-----
+     *
+     * This method extracts the Base64 data and decodes it to DER format.
+     */
+    pemToDer(pem) {
+        try {
+            // Remove PEM header, footer, and whitespace
+            const base64 = pem
+                .replace(/-----BEGIN PUBLIC KEY-----/, '')
+                .replace(/-----END PUBLIC KEY-----/, '')
+                .replace(/\s/g, '');
+            // Decode Base64 to DER
+            return Uint8Array.from(Buffer.from(base64, 'base64'));
+        }
+        catch (error) {
+            throw new KmsClientError(`Failed to convert PEM to DER: ${error instanceof Error ? error.message : 'Unknown error'}`, error instanceof Error ? error : undefined);
+        }
+    }
+    /**
+     * Calculates CRC32C checksum for data integrity verification.
+     *
+     * @param data - Data to calculate checksum for
+     * @returns CRC32C checksum as number
+     *
+     * @remarks
+     * GCP KMS requires CRC32C checksums for request/response integrity verification.
+     * This is a simple implementation using a lookup table.
+     */
+    calculateCrc32c(data) {
+        // CRC32C polynomial lookup table
+        const crc32cTable = new Int32Array(256);
+        for (let i = 0; i < 256; i++) {
+            let c = i;
+            for (let j = 0; j < 8; j++) {
+                c = c & 1 ? 0x82f63b78 ^ (c >>> 1) : c >>> 1;
+            }
+            crc32cTable[i] = c;
+        }
+        let crc = 0xffffffff;
+        for (let i = 0; i < data.length; i++) {
+            crc = crc32cTable[(crc ^ data[i]) & 0xff] ^ (crc >>> 8);
+        }
+        return (crc ^ 0xffffffff) >>> 0;
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/gcp/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/gcp/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,0BAA0B,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAG3C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,OAAO,SAAS;IAIrB;;;;;;;;;;OAUG;IACH,YAAY,MAAoB;QAC/B,IAAI,CAAC,MAAM,GAAG,IAAI,0BAA0B,CAC3C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAC7D,CAAC;QAEF,uCAAuC;QACvC,kHAAkH;QAClH,IAAI,CAAC,OAAO,GAAG,YAAY,MAAM,CAAC,SAAS,cAAc,MAAM,CAAC,UAAU,aAAa,MAAM,CAAC,SAAS,eAAe,MAAM,CAAC,KAAK,sBAAsB,MAAM,CAAC,UAAU,EAAE,CAAC;IAC7K,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,YAAY;QACjB,IAAI,CAAC;YACJ,MAAM,CAAC,SAAS,CAAC,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;gBAClD,IAAI,EAAE,IAAI,CAAC,OAAO;aAClB,CAAC,CAAC;YAEH,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,CAAC;gBACpB,MAAM,IAAI,cAAc,CAAC,qCAAqC,CAAC,CAAC;YACjE,CAAC;YAED,4BAA4B;YAC5B,OAAO,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACrC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,KAAK,YAAY,cAAc;gBAAE,MAAM,KAAK,CAAC;YACjD,MAAM,IAAI,cAAc,CACvB,0CAA0C,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,EACpG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC1C,CAAC;QACH,CAAC;IACF,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,IAAI,CAAC,WAAuB;QACjC,IAAI,CAAC;YACJ,+CAA+C;YAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;YAEjD,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;gBACnD,IAAI,EAAE,IAAI,CAAC,OAAO;gBAClB,MAAM,EAAE;oBACP,MAAM,EAAE,WAAW;iBACnB;gBACD,YAAY,EAAE;oBACb,KAAK,EAAE,MAAM;iBACb;aACD,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAI,cAAc,CAAC,oCAAoC,CAAC,CAAC;YAChE,CAAC;YAED,kCAAkC;YAClC,MAAM,cAAc,GACnB,OAAO,QAAQ,CAAC,SAAS,KAAK,QAAQ;gBACrC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,QAAQ,CAAC;gBAC3C,CAAC,CAAC,QAAQ,CAAC,SAAS,YAAY,MAAM;oBACrC,CAAC,CAAC,QAAQ,CAAC,SAAS;oBACpB,CAAC,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAExC,0CAA0C;YAC1C,IAAI,QAAQ,CAAC,eAAe,IAAI,QAAQ,CAAC,oBAAoB,EAAE,CAAC;gBAC/D,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAC3C,cAAc,YAAY,MAAM;oBAC/B,CAAC,CAAC,IAAI,UAAU,CAAC,cAAc,CAAC;oBAChC,CAAC,CAAC,cAAc,CACjB,CAAC;gBACF,IAAI,eAAe,KAAK,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;oBAChE,MAAM,IAAI,cAAc,CACvB,8DAA8D,CAC9D,CAAC;gBACH,CAAC;YACF,CAAC;YAED,OAAO,cAAc,YAAY,MAAM;gBACtC,CAAC,CAAC,IAAI,UAAU,CAAC,cAAc,CAAC;gBAChC,CAAC,CAAC,cAAc,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,KAAK,YAAY,cAAc;gBAAE,MAAM,KAAK,CAAC;YACjD,MAAM,IAAI,cAAc,CACvB,gCAAgC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,EAC1F,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC1C,CAAC;QACH,CAAC;IACF,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACK,QAAQ,CAAC,GAAW;QAC3B,IAAI,CAAC;YACJ,4CAA4C;YAC5C,MAAM,MAAM,GAAG,GAAG;iBAChB,OAAO,CAAC,4BAA4B,EAAE,EAAE,CAAC;iBACzC,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC;iBACvC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAErB,uBAAuB;YACvB,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,cAAc,CACvB,iCAAiC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,EAC3F,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC1C,CAAC;QACH,CAAC;IACF,CAAC;IAED;;;;;;;;;OASG;IACK,eAAe,CAAC,IAAgB;QACvC,iCAAiC;QACjC,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;QACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;YAC9B,IAAI,CAAC,GAAG,CAAC,CAAC;YACV,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC5B,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;YAC9C,CAAC;YACD,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;QAED,IAAI,GAAG,GAAG,UAAU,CAAC;QACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,GAAG,GAAG,WAAW,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,CAAC,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;CACD"}

package/dist/gcp/signer.d.ts

@@ -0,0 +1,212 @@
+import type { TypedData } from 'abitype';
+import type { Address, Hex, SerializeTransactionFn, TransactionSerializable, TypedDataDefinition } from 'viem';
+import type { GcpKmsConfig } from '../types';
+/**
+ * GcpSigner provides Ethereum signing capabilities using GCP KMS.
+ *
+ * This class manages the interaction with GCP KMS for cryptographic operations
+ * required by Ethereum accounts:
+ * - Public key retrieval and caching
+ * - Ethereum address derivation from KMS public key
+ * - Message and transaction signing
+ *
+ * The signer caches expensive operations (public key retrieval, address derivation)
+ * to avoid unnecessary KMS API calls.
+ *
+ * @example
+ * ```typescript
+ * const signer = new GcpSigner({
+ *   projectId: 'my-project',
+ *   locationId: 'global',
+ *   keyRingId: 'my-keyring',
+ *   keyId: 'my-key',
+ *   keyVersion: '1'
+ * })
+ *
+ * const address = await signer.getAddress()
+ * console.log('Ethereum address:', address)
+ * ```
+ */
+export declare class GcpSigner {
+    private gcpClient;
+    private cachedAddress?;
+    private cachedPublicKey?;
+    /**
+     * Creates a new GCP KMS signer instance.
+     *
+     * @param config - GCP KMS configuration including project, location, key ring, key, and version
+     *
+     * @remarks
+     * The constructor initializes the GCP KMS client but does not make any API calls.
+     * Public key retrieval and address derivation happen lazily on first use.
+     */
+    constructor(config: GcpKmsConfig);
+    /**
+     * Retrieves the uncompressed secp256k1 public key from GCP KMS.
+     *
+     * The public key is retrieved from KMS and extracted from the DER-encoded
+     * SubjectPublicKeyInfo format. The result is cached to avoid redundant KMS calls.
+     *
+     * @returns 65-byte uncompressed public key (0x04 + x coordinate + y coordinate)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If public key format is invalid
+     *
+     * @remarks
+     * The public key format is:
+     * - Byte 0: 0x04 (uncompressed point indicator)
+     * - Bytes 1-32: x coordinate of the public key
+     * - Bytes 33-64: y coordinate of the public key
+     */
+    getPublicKey(): Promise<Uint8Array>;
+    /**
+     * Derives the Ethereum address from the GCP KMS public key.
+     *
+     * The address is calculated by:
+     * 1. Retrieving the public key from KMS (cached if available)
+     * 2. Hashing the public key coordinates with keccak256
+     * 3. Taking the last 20 bytes as the address
+     *
+     * The result is cached to avoid redundant derivation.
+     *
+     * @returns Ethereum address (0x-prefixed, 40 hex characters)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If public key format is invalid
+     *
+     * @remarks
+     * The returned address follows EIP-55 checksum encoding.
+     */
+    getAddress(): Promise<Address>;
+    /**
+     * Signs a hash using the GCP KMS private key (internal helper method).
+     *
+     * This method is used internally by signMessage, signTransaction, and signTypedData.
+     * It converts the hash to bytes, signs with KMS, parses the DER signature,
+     * and normalizes the s value according to EIP-2.
+     *
+     * @param hash - The hash to sign (32 bytes, hex-encoded)
+     * @returns Object containing r and s as bigints
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {SignatureNormalizationError} If s value is out of valid range
+     *
+     * @remarks
+     * The s value is automatically normalized to the lower half of the curve order (EIP-2)
+     * to prevent signature malleability attacks.
+     */
+    private signHash;
+    /**
+     * Signs a message using EIP-191 personal_sign standard.
+     *
+     * This method:
+     * 1. Hashes the message with EIP-191 prefix: "\x19Ethereum Signed Message:\n" + len(message) + message
+     * 2. Signs the hash with GCP KMS
+     * 3. Calculates the recovery ID to enable public key recovery
+     * 4. Returns the signature in the standard format: r (32 bytes) + s (32 bytes) + v (1 byte)
+     *
+     * @param params - Object containing the message string
+     * @returns The signature as a hex string (0x-prefixed, 130 characters)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {RecoveryIdCalculationError} If recovery ID calculation fails
+     *
+     * @example
+     * ```typescript
+     * const signer = new GcpSigner({
+     *   projectId: 'my-project',
+     *   locationId: 'global',
+     *   keyRingId: 'my-keyring',
+     *   keyId: 'my-key',
+     *   keyVersion: '1'
+     * })
+     * const signature = await signer.signMessage({ message: 'Hello, world!' })
+     * // signature: '0x...' (130 characters: 0x + 64 hex chars for r + 64 for s + 2 for v)
+     * ```
+     */
+    signMessage({ message }: {
+        message: string;
+    }): Promise<Hex>;
+    /**
+     * Signs an Ethereum transaction.
+     *
+     * This method:
+     * 1. Serializes the transaction without signature fields (r, s, v)
+     * 2. Hashes the serialized transaction with keccak256
+     * 3. Signs the hash with GCP KMS
+     * 4. Calculates the recovery ID
+     * 5. Computes the v value (EIP-155 if chainId present, legacy otherwise)
+     * 6. Returns the fully serialized transaction with signature
+     *
+     * @param transaction - The transaction to sign
+     * @param options - Optional serializer function (defaults to viem's serializeTransaction)
+     * @returns The serialized signed transaction as a hex string
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {RecoveryIdCalculationError} If recovery ID calculation fails
+     *
+     * @example
+     * ```typescript
+     * const signer = new GcpSigner({
+     *   projectId: 'my-project',
+     *   locationId: 'global',
+     *   keyRingId: 'my-keyring',
+     *   keyId: 'my-key',
+     *   keyVersion: '1'
+     * })
+     * const signedTx = await signer.signTransaction({
+     *   to: '0x...',
+     *   value: parseEther('1'),
+     *   chainId: 1
+     * })
+     * ```
+     */
+    signTransaction(transaction: TransactionSerializable, { serializer, }?: {
+        serializer?: SerializeTransactionFn;
+    }): Promise<Hex>;
+    /**
+     * Signs typed data according to EIP-712.
+     *
+     * This method:
+     * 1. Hashes the typed data using EIP-712 (domain separator + type hash)
+     * 2. Signs the hash with GCP KMS
+     * 3. Calculates the recovery ID
+     * 4. Returns the signature in the standard format: r (32 bytes) + s (32 bytes) + v (1 byte)
+     *
+     * @param typedData - The EIP-712 typed data to sign
+     * @returns The signature as a hex string (0x-prefixed, 130 characters)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {RecoveryIdCalculationError} If recovery ID calculation fails
+     *
+     * @example
+     * ```typescript
+     * const signer = new GcpSigner({
+     *   projectId: 'my-project',
+     *   locationId: 'global',
+     *   keyRingId: 'my-keyring',
+     *   keyId: 'my-key',
+     *   keyVersion: '1'
+     * })
+     * const signature = await signer.signTypedData({
+     *   domain: {
+     *     name: 'MyApp',
+     *     version: '1',
+     *     chainId: 1,
+     *     verifyingContract: '0x...'
+     *   },
+     *   types: {
+     *     Person: [
+     *       { name: 'name', type: 'string' },
+     *       { name: 'wallet', type: 'address' }
+     *     ]
+     *   },
+     *   primaryType: 'Person',
+     *   message: {
+     *     name: 'Alice',
+     *     wallet: '0x...'
+     *   }
+     * })
+     * ```
+     */
+    signTypedData<const TTypedData extends TypedData | Record<string, unknown>, TPrimaryType extends keyof TTypedData | 'EIP712Domain' = keyof TTypedData>(typedData: TypedDataDefinition<TTypedData, TPrimaryType>): Promise<Hex>;
+}
+//# sourceMappingURL=signer.d.ts.map

package/dist/gcp/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../src/gcp/signer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,KAAK,EACX,OAAO,EACP,GAAG,EACH,sBAAsB,EACtB,uBAAuB,EACvB,mBAAmB,EACnB,MAAM,MAAM,CAAC;AAUd,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAU7C;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,SAAS;IACrB,OAAO,CAAC,SAAS,CAAY;IAC7B,OAAO,CAAC,aAAa,CAAC,CAAU;IAChC,OAAO,CAAC,eAAe,CAAC,CAAa;IAErC;;;;;;;;OAQG;gBACS,MAAM,EAAE,YAAY;IAIhC;;;;;;;;;;;;;;;OAeG;IACG,YAAY,IAAI,OAAO,CAAC,UAAU,CAAC;IAWzC;;;;;;;;;;;;;;;;OAgBG;IACG,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC;IAWpC;;;;;;;;;;;;;;;;OAgBG;YACW,QAAQ;IAoBtB;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACG,WAAW,CAAC,EAAE,OAAO,EAAE,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC;IA2BjE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAiCG;IACG,eAAe,CACpB,WAAW,EAAE,uBAAuB,EACpC,EACC,UAAiC,GACjC,GAAE;QAAE,UAAU,CAAC,EAAE,sBAAsB,CAAA;KAAO,GAC7C,OAAO,CAAC,GAAG,CAAC;IAqCf;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4CG;IACG,aAAa,CAClB,KAAK,CAAC,UAAU,SAAS,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC5D,YAAY,SAAS,MAAM,UAAU,GAAG,cAAc,GAAG,MAAM,UAAU,EACxE,SAAS,EAAE,mBAAmB,CAAC,UAAU,EAAE,YAAY,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC;CA0BzE"}

package/dist/gcp/signer.js

@@ -0,0 +1,296 @@
+import { concat, fromHex, hashMessage, hashTypedData, keccak256, serializeTransaction, toHex, } from 'viem';
+import { extractPublicKeyFromDer, publicKeyToAddress } from '../utils/address';
+import { parseDerSignature } from '../utils/der';
+import { calculateRecoveryId, normalizeS, uint8ArrayToBigInt, } from '../utils/signature';
+import { GcpClient } from './client';
+/**
+ * GcpSigner provides Ethereum signing capabilities using GCP KMS.
+ *
+ * This class manages the interaction with GCP KMS for cryptographic operations
+ * required by Ethereum accounts:
+ * - Public key retrieval and caching
+ * - Ethereum address derivation from KMS public key
+ * - Message and transaction signing
+ *
+ * The signer caches expensive operations (public key retrieval, address derivation)
+ * to avoid unnecessary KMS API calls.
+ *
+ * @example
+ * ```typescript
+ * const signer = new GcpSigner({
+ *   projectId: 'my-project',
+ *   locationId: 'global',
+ *   keyRingId: 'my-keyring',
+ *   keyId: 'my-key',
+ *   keyVersion: '1'
+ * })
+ *
+ * const address = await signer.getAddress()
+ * console.log('Ethereum address:', address)
+ * ```
+ */
+export class GcpSigner {
+    /**
+     * Creates a new GCP KMS signer instance.
+     *
+     * @param config - GCP KMS configuration including project, location, key ring, key, and version
+     *
+     * @remarks
+     * The constructor initializes the GCP KMS client but does not make any API calls.
+     * Public key retrieval and address derivation happen lazily on first use.
+     */
+    constructor(config) {
+        this.gcpClient = new GcpClient(config);
+    }
+    /**
+     * Retrieves the uncompressed secp256k1 public key from GCP KMS.
+     *
+     * The public key is retrieved from KMS and extracted from the DER-encoded
+     * SubjectPublicKeyInfo format. The result is cached to avoid redundant KMS calls.
+     *
+     * @returns 65-byte uncompressed public key (0x04 + x coordinate + y coordinate)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If public key format is invalid
+     *
+     * @remarks
+     * The public key format is:
+     * - Byte 0: 0x04 (uncompressed point indicator)
+     * - Bytes 1-32: x coordinate of the public key
+     * - Bytes 33-64: y coordinate of the public key
+     */
+    async getPublicKey() {
+        if (this.cachedPublicKey) {
+            return this.cachedPublicKey;
+        }
+        const derPublicKey = await this.gcpClient.getPublicKey();
+        const publicKey = extractPublicKeyFromDer(derPublicKey);
+        this.cachedPublicKey = publicKey;
+        return publicKey;
+    }
+    /**
+     * Derives the Ethereum address from the GCP KMS public key.
+     *
+     * The address is calculated by:
+     * 1. Retrieving the public key from KMS (cached if available)
+     * 2. Hashing the public key coordinates with keccak256
+     * 3. Taking the last 20 bytes as the address
+     *
+     * The result is cached to avoid redundant derivation.
+     *
+     * @returns Ethereum address (0x-prefixed, 40 hex characters)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If public key format is invalid
+     *
+     * @remarks
+     * The returned address follows EIP-55 checksum encoding.
+     */
+    async getAddress() {
+        if (this.cachedAddress) {
+            return this.cachedAddress;
+        }
+        const publicKey = await this.getPublicKey();
+        const address = publicKeyToAddress(publicKey);
+        this.cachedAddress = address;
+        return address;
+    }
+    /**
+     * Signs a hash using the GCP KMS private key (internal helper method).
+     *
+     * This method is used internally by signMessage, signTransaction, and signTypedData.
+     * It converts the hash to bytes, signs with KMS, parses the DER signature,
+     * and normalizes the s value according to EIP-2.
+     *
+     * @param hash - The hash to sign (32 bytes, hex-encoded)
+     * @returns Object containing r and s as bigints
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {SignatureNormalizationError} If s value is out of valid range
+     *
+     * @remarks
+     * The s value is automatically normalized to the lower half of the curve order (EIP-2)
+     * to prevent signature malleability attacks.
+     */
+    async signHash(hash) {
+        // Convert Hex to Uint8Array
+        const hashBytes = fromHex(hash, 'bytes');
+        // Sign with GCP KMS
+        const derSignature = await this.gcpClient.sign(hashBytes);
+        // Parse DER signature
+        const { r: rBytes, s: sBytes } = parseDerSignature(derSignature);
+        // Convert to bigint
+        const r = uint8ArrayToBigInt(rBytes);
+        let s = uint8ArrayToBigInt(sBytes);
+        // EIP-2 normalization
+        s = normalizeS(s);
+        return { r, s };
+    }
+    /**
+     * Signs a message using EIP-191 personal_sign standard.
+     *
+     * This method:
+     * 1. Hashes the message with EIP-191 prefix: "\x19Ethereum Signed Message:\n" + len(message) + message
+     * 2. Signs the hash with GCP KMS
+     * 3. Calculates the recovery ID to enable public key recovery
+     * 4. Returns the signature in the standard format: r (32 bytes) + s (32 bytes) + v (1 byte)
+     *
+     * @param params - Object containing the message string
+     * @returns The signature as a hex string (0x-prefixed, 130 characters)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {RecoveryIdCalculationError} If recovery ID calculation fails
+     *
+     * @example
+     * ```typescript
+     * const signer = new GcpSigner({
+     *   projectId: 'my-project',
+     *   locationId: 'global',
+     *   keyRingId: 'my-keyring',
+     *   keyId: 'my-key',
+     *   keyVersion: '1'
+     * })
+     * const signature = await signer.signMessage({ message: 'Hello, world!' })
+     * // signature: '0x...' (130 characters: 0x + 64 hex chars for r + 64 for s + 2 for v)
+     * ```
+     */
+    async signMessage({ message }) {
+        // EIP-191 hashing (viem handles automatically)
+        const messageHash = hashMessage(message);
+        // Sign with GCP KMS
+        const { r, s } = await this.signHash(messageHash);
+        // Calculate recovery ID
+        const address = await this.getAddress();
+        const recoveryId = await calculateRecoveryId(messageHash, toHex(r, { size: 32 }), toHex(s, { size: 32 }), address);
+        // Calculate v value (Legacy, no chain)
+        const v = 27 + recoveryId;
+        // Serialize signature
+        return concat([
+            toHex(r, { size: 32 }),
+            toHex(s, { size: 32 }),
+            toHex(v, { size: 1 }),
+        ]);
+    }
+    /**
+     * Signs an Ethereum transaction.
+     *
+     * This method:
+     * 1. Serializes the transaction without signature fields (r, s, v)
+     * 2. Hashes the serialized transaction with keccak256
+     * 3. Signs the hash with GCP KMS
+     * 4. Calculates the recovery ID
+     * 5. Computes the v value (EIP-155 if chainId present, legacy otherwise)
+     * 6. Returns the fully serialized transaction with signature
+     *
+     * @param transaction - The transaction to sign
+     * @param options - Optional serializer function (defaults to viem's serializeTransaction)
+     * @returns The serialized signed transaction as a hex string
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {RecoveryIdCalculationError} If recovery ID calculation fails
+     *
+     * @example
+     * ```typescript
+     * const signer = new GcpSigner({
+     *   projectId: 'my-project',
+     *   locationId: 'global',
+     *   keyRingId: 'my-keyring',
+     *   keyId: 'my-key',
+     *   keyVersion: '1'
+     * })
+     * const signedTx = await signer.signTransaction({
+     *   to: '0x...',
+     *   value: parseEther('1'),
+     *   chainId: 1
+     * })
+     * ```
+     */
+    async signTransaction(transaction, { serializer = serializeTransaction, } = {}) {
+        // Serialize transaction for signing (without r, s, v)
+        const serializedTx = serializeTransaction({
+            ...transaction,
+            r: undefined,
+            s: undefined,
+            v: undefined,
+        });
+        const hash = keccak256(serializedTx);
+        // Sign with GCP KMS
+        const { r, s } = await this.signHash(hash);
+        // Calculate recovery ID
+        const address = await this.getAddress();
+        const recoveryId = await calculateRecoveryId(hash, toHex(r, { size: 32 }), toHex(s, { size: 32 }), address);
+        // Calculate v value
+        const chainId = transaction.chainId;
+        const v = chainId
+            ? BigInt(chainId * 2 + 35 + recoveryId) // EIP-155
+            : BigInt(27 + recoveryId); // Legacy
+        // Final serialization with signature
+        return serializer({
+            ...transaction,
+            r: toHex(r, { size: 32 }),
+            s: toHex(s, { size: 32 }),
+            v,
+        });
+    }
+    /**
+     * Signs typed data according to EIP-712.
+     *
+     * This method:
+     * 1. Hashes the typed data using EIP-712 (domain separator + type hash)
+     * 2. Signs the hash with GCP KMS
+     * 3. Calculates the recovery ID
+     * 4. Returns the signature in the standard format: r (32 bytes) + s (32 bytes) + v (1 byte)
+     *
+     * @param typedData - The EIP-712 typed data to sign
+     * @returns The signature as a hex string (0x-prefixed, 130 characters)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {RecoveryIdCalculationError} If recovery ID calculation fails
+     *
+     * @example
+     * ```typescript
+     * const signer = new GcpSigner({
+     *   projectId: 'my-project',
+     *   locationId: 'global',
+     *   keyRingId: 'my-keyring',
+     *   keyId: 'my-key',
+     *   keyVersion: '1'
+     * })
+     * const signature = await signer.signTypedData({
+     *   domain: {
+     *     name: 'MyApp',
+     *     version: '1',
+     *     chainId: 1,
+     *     verifyingContract: '0x...'
+     *   },
+     *   types: {
+     *     Person: [
+     *       { name: 'name', type: 'string' },
+     *       { name: 'wallet', type: 'address' }
+     *     ]
+     *   },
+     *   primaryType: 'Person',
+     *   message: {
+     *     name: 'Alice',
+     *     wallet: '0x...'
+     *   }
+     * })
+     * ```
+     */
+    async signTypedData(typedData) {
+        // EIP-712 hashing (viem handles domain separator and type hash)
+        const hash = hashTypedData(typedData);
+        // Sign with GCP KMS
+        const { r, s } = await this.signHash(hash);
+        // Calculate recovery ID
+        const address = await this.getAddress();
+        const recoveryId = await calculateRecoveryId(hash, toHex(r, { size: 32 }), toHex(s, { size: 32 }), address);
+        // Calculate v value (Legacy, no chain for typed data)
+        const v = 27 + recoveryId;
+        // Serialize signature
+        return concat([
+            toHex(r, { size: 32 }),
+            toHex(s, { size: 32 }),
+            toHex(v, { size: 1 }),
+        ]);
+    }
+}
+//# sourceMappingURL=signer.js.map

package/dist/gcp/signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.js","sourceRoot":"","sources":["../../src/gcp/signer.ts"],"names":[],"mappings":"AAQA,OAAO,EACN,MAAM,EACN,OAAO,EACP,WAAW,EACX,aAAa,EACb,SAAS,EACT,oBAAoB,EACpB,KAAK,GACL,MAAM,MAAM,CAAC;AAEd,OAAO,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC/E,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EACN,mBAAmB,EACnB,UAAU,EACV,kBAAkB,GAClB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAErC;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,OAAO,SAAS;IAKrB;;;;;;;;OAQG;IACH,YAAY,MAAoB;QAC/B,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,KAAK,CAAC,YAAY;QACjB,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC,eAAe,CAAC;QAC7B,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;QACzD,MAAM,SAAS,GAAG,uBAAuB,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,eAAe,GAAG,SAAS,CAAC;QACjC,OAAO,SAAS,CAAC;IAClB,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,UAAU;QACf,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,aAAa,CAAC;QAC3B,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC5C,MAAM,OAAO,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;QAC9C,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC;QAC7B,OAAO,OAAO,CAAC;IAChB,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACK,KAAK,CAAC,QAAQ,CAAC,IAAS;QAC/B,4BAA4B;QAC5B,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAEzC,oBAAoB;QACpB,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAE1D,sBAAsB;QACtB,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;QAEjE,oBAAoB;QACpB,MAAM,CAAC,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,CAAC,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAEnC,sBAAsB;QACtB,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;QAElB,OAAO,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IACjB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,KAAK,CAAC,WAAW,CAAC,EAAE,OAAO,EAAuB;QACjD,+CAA+C;QAC/C,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QAEzC,oBAAoB;QACpB,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAElD,wBAAwB;QACxB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACxC,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAC3C,WAAW,EACX,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EACtB,OAAO,CACP,CAAC;QAEF,uCAAuC;QACvC,MAAM,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC;QAE1B,sBAAsB;QACtB,OAAO,MAAM,CAAC;YACb,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;YACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;YACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;SACrB,CAAQ,CAAC;IACX,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAiCG;IACH,KAAK,CAAC,eAAe,CACpB,WAAoC,EACpC,EACC,UAAU,GAAG,oBAAoB,MACW,EAAE;QAE/C,sDAAsD;QACtD,MAAM,YAAY,GAAG,oBAAoB,CAAC;YACzC,GAAG,WAAW;YACd,CAAC,EAAE,SAAS;YACZ,CAAC,EAAE,SAAS;YACZ,CAAC,EAAE,SAAS;SACZ,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,SAAS,CAAC,YAAY,CAAC,CAAC;QAErC,oBAAoB;QACpB,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAE3C,wBAAwB;QACxB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACxC,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAC3C,IAAI,EACJ,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EACtB,OAAO,CACP,CAAC;QAEF,oBAAoB;QACpB,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC;QACpC,MAAM,CAAC,GAAG,OAAO;YAChB,CAAC,CAAC,MAAM,CAAC,OAAO,GAAG,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,CAAC,UAAU;YAClD,CAAC,CAAC,MAAM,CAAC,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC,SAAS;QAErC,qCAAqC;QACrC,OAAO,UAAU,CAAC;YACjB,GAAG,WAAW;YACd,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;YACzB,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;YACzB,CAAC;SACD,CAAC,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4CG;IACH,KAAK,CAAC,aAAa,CAGjB,SAAwD;QACzD,gEAAgE;QAChE,MAAM,IAAI,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;QAEtC,oBAAoB;QACpB,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAE3C,wBAAwB;QACxB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACxC,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAC3C,IAAI,EACJ,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EACtB,OAAO,CACP,CAAC;QAEF,sDAAsD;QACtD,MAAM,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC;QAE1B,sBAAsB;QACtB,OAAO,MAAM,CAAC;YACb,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;YACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;YACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;SACrB,CAAQ,CAAC;IACX,CAAC;CACD"}

package/dist/index.d.ts

@@ -1,6 +1,7 @@
 export type { Address, Hex } from 'viem';
-export { toKmsAccount } from './account';
+export { toGcpKmsAccount, toKmsAccount } from './account';
 export { DerParsingError, KmsClientError, KmsSignerError, RecoveryIdCalculationError, SignatureNormalizationError, } from './errors';
+export { GcpSigner } from './gcp/signer';
 export { KmsSigner } from './kms/signer';
-export type { DerSignature, KmsConfig, SignatureData } from './types';
+export type { DerSignature, GcpKmsConfig, KmsConfig, SignatureData, } from './types';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,YAAY,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEzC,OAAO,EACN,eAAe,EACf,cAAc,EACd,cAAc,EACd,0BAA0B,EAC1B,2BAA2B,GAC3B,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,YAAY,EAAE,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,YAAY,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAE1D,OAAO,EACN,eAAe,EACf,cAAc,EACd,cAAc,EACd,0BAA0B,EAC1B,2BAA2B,GAC3B,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,YAAY,EACX,YAAY,EACZ,YAAY,EACZ,SAAS,EACT,aAAa,GACb,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -1,6 +1,7 @@
 // Main classes and functions
-export { toKmsAccount } from './account';
+export { toGcpKmsAccount, toKmsAccount } from './account';
 // Errors
 export { DerParsingError, KmsClientError, KmsSignerError, RecoveryIdCalculationError, SignatureNormalizationError, } from './errors';
+export { GcpSigner } from './gcp/signer';
 export { KmsSigner } from './kms/signer';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAI7B,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,SAAS;AACT,OAAO,EACN,eAAe,EACf,cAAc,EACd,cAAc,EACd,0BAA0B,EAC1B,2BAA2B,GAC3B,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAI7B,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC1D,SAAS;AACT,OAAO,EACN,eAAe,EACf,cAAc,EACd,cAAc,EACd,0BAA0B,EAC1B,2BAA2B,GAC3B,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC"}

package/dist/types/index.d.ts

@@ -19,6 +19,36 @@ export interface KmsConfig {
         secretAccessKey: string;
     };
 }
+/**
+ * GCP KMS configuration for signing operations
+ */
+export interface GcpKmsConfig {
+    /**
+     * GCP project ID where the KMS key is located
+     */
+    projectId: string;
+    /**
+     * GCP location/region (e.g., "global", "us-east1")
+     */
+    locationId: string;
+    /**
+     * Key ring ID containing the crypto key
+     */
+    keyRingId: string;
+    /**
+     * Crypto key ID to use for signing
+     */
+    keyId: string;
+    /**
+     * Crypto key version number (e.g., "1")
+     */
+    keyVersion: string;
+    /**
+     * Optional path to service account key file.
+     * If not provided, uses GOOGLE_APPLICATION_CREDENTIALS environment variable
+     */
+    keyFilename?: string;
+}
 /**
  * DER-parsed signature as raw byte arrays
  * Used internally by DER parsing utilities

package/dist/types/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,WAAW,CAAC,EAAE;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;KACxB,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC5B;;OAEG;IACH,CAAC,EAAE,UAAU,CAAC;IAEd;;OAEG;IACH,CAAC,EAAE,UAAU,CAAC;CACd;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC7B;;OAEG;IACH,CAAC,EAAE,MAAM,CAAC;IAEV;;OAEG;IACH,CAAC,EAAE,MAAM,CAAC;IAEV;;;;OAIG;IACH,CAAC,EAAE,MAAM,CAAC;CACV"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,WAAW,CAAC,EAAE;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;KACxB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC5B;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC5B;;OAEG;IACH,CAAC,EAAE,UAAU,CAAC;IAEd;;OAEG;IACH,CAAC,EAAE,UAAU,CAAC;CACd;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC7B;;OAEG;IACH,CAAC,EAAE,MAAM,CAAC;IAEV;;OAEG;IACH,CAAC,EAAE,MAAM,CAAC;IAEV;;;;OAIG;IACH,CAAC,EAAE,MAAM,CAAC;CACV"}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "evm-kms-signer",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "type": "module",
-  "description": "AWS KMS-based Ethereum signer for viem with enterprise-grade security. Sign transactions and messages using keys stored in AWS KMS without exposing private keys.",
+  "description": "AWS/GCP KMS-based Ethereum signer for viem with enterprise-grade security. Sign transactions and messages using keys stored in AWS or GCP KMS without exposing private keys.",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "exports": {
@@ -21,6 +21,8 @@
     "ethereum",
     "aws",
     "kms",
+    "gcp",
+    "google-cloud",
     "viem",
     "signer",
     "evm",
@@ -47,6 +49,7 @@
   },
   "dependencies": {
     "@aws-sdk/client-kms": "^3.0.0",
+    "@google-cloud/kms": "^5.2.1",
     "abitype": "^1.1.1"
   },
   "devDependencies": {
@@ -70,6 +73,8 @@
     "test:run": "vitest run",
     "test:coverage": "vitest run --coverage",
     "example:sign": "tsx examples/sign-message.ts",
-    "example:tx": "tsx examples/send-transaction.ts"
+    "example:tx": "tsx examples/send-transaction.ts",
+    "example:gcp-sign": "tsx examples/gcp-sign-message.ts",
+    "example:gcp-tx": "tsx examples/gcp-send-transaction.ts"
   }
 }