Merge pull request #786 from LedgerHQ/rel/apa/1.17.0

App release 1.17.0

Author: apaillier-ledger

.github/workflows/build_and_functional_tests.yml

@@ -32,7 +32,7 @@ jobs:
     uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_build.yml@v1
     with:
       upload_app_binaries_artifact: "ragger_elfs"
-      flags: "CAL_TEST_KEY=1 TRUSTED_NAME_TEST_KEY=1 SET_PLUGIN_TEST_KEY=1 NFT_TEST_KEY=1"
+      flags: "CAL_TEST_KEY=1 TRUSTED_NAME_TEST_KEY=1 SET_PLUGIN_TEST_KEY=1 NFT_TEST_KEY=1 EIP7702_TEST_WHITELIST=1"
 
   ragger_tests:
     name: Run ragger tests using the reusable workflow

.github/workflows/codeql_checks.yml

@@ -19,7 +19,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        sdk: ["$NANOS_SDK", "$NANOX_SDK", "$NANOSP_SDK", "$STAX_SDK", "$FLEX_SDK"]
+        sdk: ["$NANOX_SDK", "$NANOSP_SDK", "$STAX_SDK", "$FLEX_SDK"]
         # 'cpp' covers C and C++
         language: ['cpp']
     runs-on: ubuntu-latest

.github/workflows/lint-workflow.yml

@@ -23,7 +23,6 @@ jobs:
     with:
       source: './'
       extensions: 'h,c'
-      version: 12
 
   yamllint:
     name: Check yaml files

CHANGELOG.md

@@ -5,6 +5,22 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.17.0](../../compare/1.16.0...1.17.0) - 2025-05-05
+
+### Added
+
+- EIP-7702 authorization signing
+- Type 4 transaction signing
+
+### Changed
+
+- Datetime formatter now supports `Unlimited` (for things that are not meant to expire)
+- Some TX check screens now play a sound (Flex / Stax)
+
+### Removed
+
+- Nano S support
+
 ## [1.16.0](../../compare/1.15.0...1.16.0) - 2025-04-28
 
 ### Added

Makefile

@@ -36,7 +36,7 @@ endif
 include ./makefile_conf/chain/$(CHAIN).mk
 
 APPVERSION_M = 1
-APPVERSION_N = 16
+APPVERSION_N = 17
 APPVERSION_P = 0
 APPVERSION = $(APPVERSION_M).$(APPVERSION_N).$(APPVERSION_P)
 

client/pyproject.toml

@@ -16,19 +16,20 @@ readme = { file = "README.md", content-type = "text/markdown" }
 # license = { file = "LICENSE" }
 classifiers = [
     "License :: OSI Approved :: Apache Software License",
-    "Programming Language :: Python :: 3.7",
-    "Programming Language :: Python :: 3.8",
     "Programming Language :: Python :: 3.9",
     "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
     "Operating System :: POSIX :: Linux",
     "Operating System :: Microsoft :: Windows",
     "Operating System :: MacOS :: MacOS X",
 ]
 dynamic = [ "version" ]
-requires-python = ">=3.7"
+requires-python = ">=3.9"
 dependencies = [
     "ragger[speculos]",
-    "web3~=6.0",
+    "web3~=7.0",
 ]
 
 [tools.setuptools]

client/src/ledger_app_clients/ethereum/client.py

@@ -1,6 +1,6 @@
 import struct
 from enum import IntEnum
-from typing import Optional, Tuple
+from typing import Optional
 from hashlib import sha256
 import rlp
 from web3 import Web3
@@ -17,6 +17,7 @@
 from .tlv import format_tlv, FieldTag
 from .response_parser import pk_addr
 from .tx_simu import TxSimu
+from .tx_auth_7702 import TxAuth7702
 
 
 class StatusWord(IntEnum):
@@ -212,13 +213,13 @@ def eip712_filtering_trusted_name(self,
     def eip712_filtering_raw(self, name: str, sig: bytes, discarded: bool):
         return self._exchange_async(self._cmd_builder.eip712_filtering_raw(name, sig, discarded))
 
-    def serialize_tx(self, tx_params: dict) -> Tuple[bytes, bytes]:
+    def serialize_tx(self, tx_params: dict) -> tuple[bytes, bytes]:
         """Computes the serialized TX and its hash"""
 
-        tx = Web3().eth.account.create().sign_transaction(tx_params).rawTransaction
+        tx = Web3().eth.account.create().sign_transaction(tx_params).raw_transaction
         prefix = bytes()
         suffix = []
-        if tx[0] in [0x01, 0x02]:
+        if tx[0] in [0x01, 0x02, 0x04]:
             prefix = tx[:1]
             tx = tx[len(prefix):]
         else:  # legacy
@@ -330,7 +331,7 @@ def provide_trusted_name_v2(self,
                                 chain_id: int,
                                 nft_id: Optional[int] = None,
                                 challenge: Optional[int] = None,
-                                not_valid_after: Optional[Tuple[int]] = None) -> RAPDU:
+                                not_valid_after: Optional[tuple[int, int, int]] = None) -> RAPDU:
         payload = format_tlv(FieldTag.STRUCT_VERSION, 2)
         payload += format_tlv(FieldTag.TRUSTED_NAME, name)
         payload += format_tlv(FieldTag.ADDRESS, addr)
@@ -671,3 +672,9 @@ def provide_proxy_info(self, payload: bytes) -> RAPDU:
         for chunk in chunks[:-1]:
             self._exchange(chunk)
         return self._exchange(chunks[-1])
+
+    def sign_eip7702_authorization(self, bip32_path: str, auth_params: TxAuth7702) -> RAPDU:
+        chunks = self._cmd_builder.sign_eip7702_authorization(bip32_path, auth_params.serialize())
+        for chunk in chunks[:-1]:
+            self._exchange(chunk)
+        return self._exchange_async(chunks[-1])

client/src/ledger_app_clients/ethereum/command_builder.py

@@ -2,6 +2,7 @@
 # https://github.com/LedgerHQ/app-ethereum/blob/develop/doc/ethapp.adoc
 
 import struct
+import math
 from enum import IntEnum
 from typing import Optional
 from ragger.bip import pack_derivation_path
@@ -31,6 +32,7 @@ class InsType(IntEnum):
     PROVIDE_PROXY_INFO = 0x2a
     PROVIDE_NETWORK_INFORMATION = 0x30
     PROVIDE_TX_SIMULATION = 0x32
+    SIGN_EIP7702_AUTHORIZATION = 0x34
 
 
 class P1Type(IntEnum):
@@ -64,6 +66,11 @@ class P2Type(IntEnum):
 class CommandBuilder:
     _CLA: int = 0xE0
 
+    def _intToBytes(self, i: int) -> bytes:
+        if i == 0:
+            return b"\x00"
+        return i.to_bytes(math.ceil(i.bit_length() / 8), 'big')
+
     def _serialize(self,
                    ins: InsType,
                    p1: int,
@@ -419,11 +426,12 @@ def common_tlv_serialize(self,
                              ins: InsType,
                              tlv_payload: bytes,
                              p1l: list[int] = [0x01, 0x00],
-                             p2l: list[int] = [0x00]) -> list[bytes]:
+                             p2l: list[int] = [0x00],
+                             payload: bytes = bytes()) -> list[bytes]:
         assert len(p1l) in [1, 2]
         assert len(p2l) in [1, 2]
         chunks = []
-        payload = struct.pack(">H", len(tlv_payload))
+        payload += struct.pack(">H", len(tlv_payload))
         payload += tlv_payload
         p1 = p1l[0]
         p2 = p2l[0]
@@ -456,6 +464,11 @@ def provide_network_information(self,
                 p1 = P1Type.FOLLOWING_CHUNK
         return chunks
 
+    def sign_eip7702_authorization(self, bip32_path: str, tlv_payload: bytes) -> list[bytes]:
+        return self.common_tlv_serialize(InsType.SIGN_EIP7702_AUTHORIZATION,
+                                         tlv_payload,
+                                         payload=pack_derivation_path(bip32_path))
+
     def provide_enum_value(self, tlv_payload: bytes) -> list[bytes]:
         return self.common_tlv_serialize(InsType.PROVIDE_ENUM_VALUE, tlv_payload)
 

client/src/ledger_app_clients/ethereum/response_parser.py

@@ -1,11 +1,11 @@
-def signature(data: bytes) -> tuple[bytes, bytes, bytes]:
+def signature(data: bytes) -> tuple[int, int, int]:
     assert len(data) == (1 + 32 + 32)
 
-    v = data[0:1]
+    v = int.from_bytes(data[0:1], "big")
     data = data[1:]
-    r = data[0:32]
+    r = int.from_bytes(data[0:32], "big")
     data = data[32:]
-    s = data[0:32]
+    s = int.from_bytes(data[0:32], "big")
 
     return v, r, s
 

client/src/ledger_app_clients/ethereum/settings.py

@@ -11,6 +11,7 @@ class SettingID(Enum):
     NONCE = auto()
     VERBOSE_EIP712 = auto()
     DEBUG_DATA = auto()
+    EIP7702 = auto()
 
 
 def get_device_settings(firmware: Firmware) -> list[SettingID]:
@@ -28,6 +29,7 @@ def get_device_settings(firmware: Firmware) -> list[SettingID]:
             SettingID.NONCE,
             SettingID.VERBOSE_EIP712,
             SettingID.DEBUG_DATA,
+            SettingID.EIP7702,
         ]
     return [
         SettingID.WEB3_CHECK,
@@ -36,6 +38,7 @@ def get_device_settings(firmware: Firmware) -> list[SettingID]:
         SettingID.NONCE,
         SettingID.VERBOSE_EIP712,
         SettingID.DEBUG_DATA,
+        SettingID.EIP7702,
     ]
 
 
@@ -75,6 +78,11 @@ def get_setting_position(firmware: Firmware, setting: SettingID) -> tuple[int, i
             page, y = 2, 130
         else:
             page, y = 2, 315
+    elif setting == SettingID.EIP7702:
+        if firmware == Firmware.STAX:
+            page, y = 2, 300
+        else:
+            page, y = 3, 140
     else:
         raise ValueError(f"Unknown setting: {setting}")
     return page, x, y