Skip to main content

SGX API Co-Signer Components

  • Updated

IMPORTANT NOTE:

This article will be deprecated by February 28th, 2025. For all API Co-signer documentation, visit this overview article, which also links to updated Co-signer content in the Developer Portal.

The Fireblocks SGX API Cosigner can be viewed as several different components:

1. Installation script

Your easy-to-use interface for managing the cosigner. It is intentionally built as a readable script so that anyone can review or customize it.

Note:

To get assistance, use the official script downloaded from the Fireblocks Console or reach out to Fireblocks Support.

Embedded in the script is a path to a docker image registry where the cosigner docker image can be downloaded. The script can be used to download images of various versions, and it only specifies the default versions in case they are not entered explicitly. Learn about version info for the cosigner installation script

2. Docker image

The Co-Signer's executable is wrapped in a docker image in order to provide safe, versioned, and consistent installation across different platforms. The docker image provides all libraries and dependencies of the main executable. Learn about version info for the cosigner container image

3. Main loading executable

This is a slim binary which:

Q: Should I verify the executable's signature?

If you are using the correct docker image as specified by the script, there is no need for any other verification as it is embedded into the image.

4. Secure SGX enclave

This component contains most of the Co-Signer's code and logic. It is both encrypted and signed by Fireblocks, and it can be downloaded from the Fireblocks server during setup.

Q: Why is the enclave encrypted?

SGX allows for saving the enclave encrypted on-disk with a hardware key only available to the specific CPU where the enclave would be executed. Having the enclave secured prevents the risk of it being modified, makes it impossible to reverse engineer, and hides any potential secrets embedded within it. This enclave alone is capable of reading the secrets stored by the Co-Signer.

Q: Should I verify the enclave's signature?

There is no need for that. The Fireblocks signing key is embedded within the loading executable, which verifies the enclave's signature whenever it is loaded.

Q: Where do I find the enclave in the docker image?

The enclave is only downloaded when the Co-Signer goes through a setup or upgrade process, so it is omitted from the docker image. The file's name is enclave.signed.so, but its exact location is not important since it is an implementation detail.

Putting it all together

The chain of trust is script > image > executable > enclave, and Fireblocks maintains the compatibility between them. When the Co-Signer is first set up, or upgraded, the enclave downloaded from Fireblocks servers is always the latest version of the enclave that is compatible with the currently installed executable.

To have the absolute latest published version of the enclave, make sure to always use the latest cosigner docker image

The safest way to install the latest version is always using the latest installation script

Was this article helpful?
0 out of 0 found this helpful

Related Articles