Documentation Index
Fetch the complete documentation index at: https://developers.fireblocks.com/llms.txt
Use this file to discover all available pages before exploring further.
Note: You must have the necessary privileges to your Google Cloud account to perform maintenance operations.
View the logs
To view the Co-Signer’s logs, go to the GCP’s VM instances page and validate that you see the right project (for example, “GCP-Customer-Cosigner-Dev”). After that, click on the relevant VM name and then press “logging” (which appears under “Logs”). This will open a new window with the customer Co-signer’s logs.Observe the status
To check the Co-signer’s health, run the following command:status field of the VM in the output and confirm it is set to RUNNING. However, this does not guarantee the health of the Co-signer. To verify its functionality, monitor the transaction activity passing through it.
Also, use the Co-signers management tab to observe the online / offline status.
List the paired API users
Use the Co-signers management tab to observe the paired API users.Retrieve the public key
You can view the Co-signer’s logs in Google Cloud’s console to find the public key used by the Callback Handler’s server for JWT-encoded signed message authentication. Search forpublic key in the logs, as shown in the example below.
Stop the Co-signer
You can stop the Co-signer by running:Note: This operation will not delete the VM.You can also stop the VM from the GCP console.
Restart the Co-Signer
In case the Co-signer’s VM is down, given the Co-signer was already created, you can restart the Co-signer by running:Retrieve the running version
Use Google Cloud’s console to check the Co-signer’s running image version by observing thetee-image-reference field in Custom metadata in the Details section.
Alternatively, you can search for Initializing CustomerCosignerGCPConfidentialSpace, commit sha within the instance logs.
Update the Co-signer
You can update the Co-signer by running the following script:- Stops the existing VM running the current Co-signer.
- Updates the OIDC workload identity pool provider’s attestation verification with the new image’s SHA of the new version.
- Create a new VM that runs the new image.
Important: Delete the old VM once the new one is fully operational.
Note: Because the policy is configured to protect the VM from deletion, use the GCP console to disable the deletion protection under VM > Edit > UNtag "Enable deletion protection" and save the new settings before deleting the VM.
Important: Please make sure to refer this doc to get the Image SHA number.
Migrate to a new machine
Stop the current Co-signer VM and set up a new one using the same resources besides the VM.Configure the communication protocol
WebSocket is the default protocol the Co-signer uses to communicate with the Fireblocks SaaS. You can switch to HTTP Long Polling by configuring theclient_install_gcp_api_cosigner_script.sh script.
To configure the Co-signer to use HTTP long polling, you can create a new VM that will use the same resources, but ensure you remove the \"--websocket\" parameter from the create_vm_cmd line so that it will look like this:
- Stop the Co-signer0 VM
- From the GCP console, locate
VM > Edit > Metadata - Remove “
--websocket” from the “Value 1” matching Key 1 which is “tee-cmd” - Click Save and restart the VM to apply the changes to the Co-signer