Skip to main content

Updating the API Co-Signer

  • Updated

Overview

Fireblocks regularly updates the API Co-Signer software with additional security measures and new functionality. To check your current API Co-Signer version, run the following command:

head cosigner -n 3 | grep VER

Update methods

Use one of the following methods to update your API Co-Signer software.

In-place updates

Note

The in-place update procedure below only applies to API Co-Signers using Intel SGX. To perform an in-place update to the latest API Co-Signer version and the script:

  • Download the latest script from the Fireblocks Console and replace the existing script on the co-signer instance. This step will ensure you have the latest co-signer script version when there will be a need to re-initialize the co-signer. 
  • The in-place update procedure does not require running the initial setup procedure (./cosigner setup). Instead, run the following commands:
sudo -i

./cosigner stop

mv /databases/cosigner/enclave/enclave.signed.so /databases/cosigner/enclave/enclave.signed.so_old

./cosigner start 3.5.0

New server

We recommend using this method when:

  • You want to upgrade the RAM or CPU of your existing API Co-Signer machine.
  • Your existing API Co-Signer machine is damaged.
  • Your Fireblocks API Co-Signer script version doesn’t support in-place upgrades.

A new server requires creating a new API user as the first user for the machine. Then, you must reassign any Transaction Authorization Policy (TAP) rules from the previous API user to the new one. Learn more about editing existing TAP rules.

If you’re unable to edit your TAP and want to reuse the existing API user, submit a request to Fireblocks Support to invalidate the API key.

Re-imaging Fireblocks software for the same API Co-Signer machine

We recommend using this method when a Fireblocks API Co-Signer version doesn’t support in-place updates and you do not want to replace your machine with another machine.

  1. Contact Fireblocks Support to invalidate the API user set as the first user on this machine.
  2. Remove the following items from your API Co-Signer instance:
    • The /databases directory
    • .config.local
    • .revisions
  3. Copy a link to the API Co-Signer script file from your Fireblocks Console. If you have any issues with these steps, please contact Fireblocks Support
      1. Go to SettingsGeneral.
      2. Under the Download co-signer script heading select Copy to copy the script file's URL to your clipboard.
        download_api-co-signer_script.png
  4. Re-mount the Fireblocks API Co-Signer using the URL copied in the previous step. Use the API Secret of the invalidated API Co-Signer user that was set as the first user on this machine. See API Co-Signer setup for more information.
  5. Finally, re-enroll any other API users that were deployed to the previous machine. Use their newly generated API secrets and add them as API users to the API Co-Signer machine by using the command: ./cosigner add-user
Was this article helpful?
1 out of 1 found this helpful

Related Articles