Skip to main content

SGX API Co-Signer Version Update

  • Updated

IMPORTANT NOTE:

This article will be deprecated by February 28th, 2025. For all API Co-signer documentation, visit this overview article, which also links to updated Co-signer content in the Developer Portal.

Overview

Fireblocks regularly updates the API Co-Signer software with additional security measures and new functionality. To check your current API Co-Signer bash script version, run the following command:

head cosigner -n 3 | grep VER

Update methods

Use one of the following methods to update your API Co-Signer software.

In-place updates

Note

The in-place update procedure below only applies to API Co-Signers using Intel SGX. To perform an in-place update to the latest API Co-Signer version and the script:
  1. Copy a link to the most recent API Co-Signer script file from your Fireblocks Console. If you have any issues with these steps, please contact Fireblocks Support
    1. Go to SettingsGeneral.
    2. Under the Download co-signer script heading select Copy to copy the script file's URL to your clipboard.
      download_api-co-signer_script.png
  2. Go to the path where the existing cosigner script is present and enter the command using the link you just copied:
    curl -o cosigner "<<URL Download Link>>"
  3. Change the script permissions to be executable: 
    sudo -i

    chmod +x cosigner
  4. Stop the Co-signer container:
    ./cosigner stop
  5. Run command:docker ps -aand check the output of the command. No Co-signer container should be running. If the container is still running  after executing  ./cosigner stop, contact Fireblocks Support.
  6. Run the following command and replace <image_version> with the most recent version number. (For example: 3.6.5) 
    mv /databases/cosigner/enclave/enclave.signed.so /databases/cosigner/enclave/enclave.signed.so_old

    ./cosigner start <image_version>
  7. Run command:
    docker ps -a
    A successful update returns an output with azure-cosigner:<image_version> with the image version matching the value entered in step 6 above.

Note that the following API Co-Signer versions do not support in-place updates and can only be updated using one of the methods below.

  • Version 1.1.4
  • Version 1.1.5

New server

We recommend using this method when:

  • You want to upgrade the RAM or CPU of your existing API Co-Signer machine.
  • Your existing API Co-Signer machine is damaged.
  • Your Fireblocks API Co-Signer script version doesn’t support in-place upgrades.

A new server requires creating a new API user as the first user for the machine. Then, you must reassign any Transaction Authorization Policy (TAP) rules from the previous API user to the new one. Learn more about editing existing TAP rules.

If you’re unable to edit your TAP and want to reuse the existing API user, submit a request to Fireblocks Support to invalidate the API key.

Re-imaging Fireblocks software for the same API Co-Signer machine

We recommend using this method when a Fireblocks API Co-Signer version doesn’t support in-place updates and you do not want to replace your machine with another machine.

  1. Determine all the API users paired with the Co-Signer machine by running the following command: 
    ./cosigner list-users
  2. Re-enroll the first API user on that list:
    1. In the Fireblocks Console, go to Settings > Users.
    2. Find the API user and select More Actions > Re-enroll API user.
  3. Remove the current version of the Co-Signer using the following commands: 
    sudo rm -rf /databases
    sudo rm -f .local_config .revisions
  4. Copy a link to the latest API Co-Signer script file from your Fireblocks Console. If you have any issues with these steps, please contact Fireblocks Support
      1. Go to SettingsGeneral.
      2. Under the Download co-signer script heading select Copy to copy the script file's URL to your clipboard.
        download_api-co-signer_script.png
  5. Re-install the Fireblocks API Co-Signer:
    1. Enter the sudo mode: 
      sudo -i
    2. Download the script directly to the Co-Signer instance by entering the URL copied from the Fireblocks Console in step 4: 
      curl -o cosigner "<<URL Download Link>>"
    3. Make the Co-Signer script file executable: 
      chmod +x cosigner
    4. Run the setup command: 
      ./cosigner setup
    5. Enter the pairing token for the API user you re-enrolled in step 2.
    6. (Optional) Enter the Callback Handler URL if you want to use your Callback Handler for automating approvals and signing for transactions or workspace changes.
  6. Finally, re-enroll any remaining API users that were listed in step 1. Use their newly generated API pairing token and add them as API users to the API Co-Signer machine by using the command: 
    ./cosigner add-user
  7. If applicable, enter the Callback Handler URLs for the remaining API users.

Was this article helpful?
1 out of 1 found this helpful

Related Articles