Overview
Fireblocks regularly updates the API Co-Signer software with additional security measures and new functionality. To check your current API Co-Signer version, run the following command:
head cosigner -n 3 | grep VER
Update methods
Use one of the following methods to update your API Co-Signer software.
In-place updates
Note
The in-place update procedure below only applies to API Co-Signers using Intel SGX. To perform an in-place update to the latest API Co-Signer version and the script:
- Download the latest script from the Fireblocks Console and replace the existing script on the co-signer instance. This step will ensure you have the latest co-signer script version when there will be a need to re-initialize the co-signer.
- The in-place update procedure does not require running the initial setup procedure (
./cosigner setup
). Instead, run the following commands:
sudo -i
./cosigner stop
mv /databases/cosigner/enclave/enclave.signed.so /databases/cosigner/enclave/enclave.signed.so_old
./cosigner start 3.5.0
New server
We recommend using this method when:
- You want to upgrade the RAM or CPU of your existing API Co-Signer machine.
- Your existing API Co-Signer machine is damaged.
- Your Fireblocks API Co-Signer script version doesn’t support in-place upgrades.
A new server requires creating a new API user as the first user for the machine. Then, you must reassign any Transaction Authorization Policy (TAP) rules from the previous API user to the new one. Learn more about editing existing TAP rules.
If you’re unable to edit your TAP and want to reuse the existing API user, submit a request to Fireblocks Support to invalidate the API key.
Re-imaging Fireblocks software for the same API Co-Signer machine
We recommend using this method when a Fireblocks API Co-Signer version doesn’t support in-place updates and you do not want to replace your machine with another machine.
- Contact Fireblocks Support to invalidate the API user set as the first user on this machine.
- Remove the following items from your API Co-Signer instance:
- The /databases directory
- .config.local
- .revisions
- Copy a link to the API Co-Signer script file from your Fireblocks Console. If you have any issues with these steps, please contact Fireblocks Support.
-
- Go to Settings > General.
- Under the Download co-signer script heading select Copy to copy the script file's URL to your clipboard.
-
- Re-mount the Fireblocks API Co-Signer using the URL copied in the previous step. Use the API Secret of the invalidated API Co-Signer user that was set as the first user on this machine. See API Co-Signer setup for more information.
- Finally, re-enroll any other API users that were deployed to the previous machine. Use their newly generated API secrets and add them as API users to the API Co-Signer machine by using the command:
./cosigner add-user