Overview
Fireblocks regularly updates the API Co-Signer software with additional security measures and new functionality. To check your current API Co-Signer version, run the following command:
head cosigner -n 3 | grep VER
Update methods
Use one of the following methods to update your API Co-Signer software.
In-place updates
Beginning with version 1.1.6, you can perform in-place updates to the API Co-Signer software. To update to the latest version, run the following command:
./cosigner upgrade-script
The output from this should look like the following:
root@Hostname # ./cosigner upgrade-script
Please specify install script version:
1.1.6
Backup install script ./cosigner to ./cosigner.1.1.5.20230214210209
Downloading install script version 1.1.6
Uploading logs to Fireblocks
Physical Device ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
You can validate the update with the following command:
root@Hostname:~# cat cosigner | grep VER
VER="1.1.6"
root@Hostname:~# md5sum cosigner
533f2f93d02371d119bc31cb4fec8a013 cosigner
Note that the following API Co-Signer versions do not support in-place updates. You must use one of the methods below for these versions.
- Version 1.1.4
- Version 1.1.5
New server
We recommend using this method when:
- You want to upgrade the RAM or CPU of your existing API Co-Signer machine.
- Your existing API Co-Signer machine is damaged.
- Your Fireblocks API Co-Signer script version doesn’t support in-place upgrades.
A new server requires creating a new API user as the first user for the machine. Then, you must reassign any Transaction Authorization Policy (TAP) rules from the previous API user to the new one. Learn more about editing existing TAP rules.
If you’re unable to edit your TAP and want to reuse the existing API user, submit a request to Fireblocks Support to invalidate the API key.
Re-imaging Fireblocks software for the same API Co-Signer machine
We recommend using this method when a Fireblocks API Co-Signer version doesn’t support in-place updates and you do not want to replace your machine with another machine.
First, contact Fireblocks Support to:
- Request to invalidate the API user set as the first user on this machine.
- Request a new API Co-Signer image.
Then, unmount the current machine. Follow the official documentation for your configuration:
Next, remove the following:
- The /databases directory
- .config.local
- .revisions
Next, re-mount the Fireblocks API Co-Signer image sent by Fireblocks Support. Use the API Secret of the invalidated API Co-Signer user that was set as the first user on this machine.
Finally, re-enroll any other API users that were deployed to the previous machine. Use their newly-generated API secrets and add them as API users to the API Co-Signer machine using the CLI.