[Bug]: `personal_sign` should expect a hex string instead of a plain string

[ly0va]

🧰 Project

SDK

📝 Description

In the passkey client, the signMessage method (aka personal_sign) expects a plain string (not a hex string) to sign. However, Metamask's API - a de-facto standard for wallet APIs - expects a hex string.

This will cause issues as the interface will deviate from that of other wallets.

🔄 Reproduction steps

const message = "Hello world";
const messageToSign = stringToHex(message);

const signature = await provider.request({
  method: "personal_sign",
  params: [messageToSign, account.address],
});

const isValidSignature = await verifyMessage({
  message,
  signature,
  address: account.address,
});

🤔 Expected behavior

isValidSignature should be true, but it is false.
However, if we instead pass the hexed version of the message into verifyMessage, it returns true.

😯 Actual behavior

No response

🖥 Environment

No response

📋 Additional context

No response

📎 Logs

[JackHamer09]

I think concept of viems client method signMessage is confused with a different concept - RPC personal_sign request.
SSO SDK mostly just reuses native viem methods, so you can rely on viem documentation.

You can either pass original message or { raw: "0x..." } to client.signMessage - https://viem.sh/docs/actions/wallet/signMessage#signmessage
and same for verifyMessage - https://viem.sh/docs/utilities/verifyMessage#verifymessage

[Boopi7]

Title: personal_sign should take a hex string (to match MetaMask)

Body:

Hey there👋

Noticed something while testing the SDK - our personal_sign (aka signMessage) currently expects a plain string, but MetaMask (and basically every wallet following EIP-191) expects a hex-encoded UTF-8 string.

That means if you sign a message here and then try to verify it elsewhere, it might fail since the encodings don’t match.

Example:

const msg = "Hello world";
const msgHex = stringToHex(msg);

const sig = await provider.request({
  method: "personal_sign",
  params: [msgHex, account.address],
});

verifyMessage({ message: msg, signature: sig, address: account.address }); // ❌ false
verifyMessage({ message: msgHex, signature: sig, address: account.address }); // ✅ true

What I’d suggest:
Let’s make personal_sign expect hex by default, or automatically convert plain strings under the hood (e.g., hexlify(toUtf8Bytes(message))).
That way, we’ll match MetaMask’s behavior and avoid any cross-wallet surprises.

Thanks! 🙌