From: Andreas Henriksson <andreas@fatal.se>
Date: Fri, 14 Oct 2022 13:36:36 +0200
Subject: Remove vault signer

There's simply too much work to be done on the src:vault package
to get it into a shape where we can depend on it.

For now just revert adding the vault signer to mender-artifact.

If we can't figure out a way to fix up src:vault and have it
provide golang-github-hashicorp-vault-api-dev for us to build-dep
on, then another solution might be to simply stop stripping vendored
dependencies + stop using external build dependencies....
This is a decision for another day though.
---
 artifact/vault/signer.go      | 264 --------------------
 artifact/vault/signer_test.go | 556 ------------------------------------------
 cli/artifacts.go              |   5 +-
 cli/cli.go                    |  17 --
 cli/dump_test.go              |   1 -
 cli/modify_existing_test.go   |   2 -
 6 files changed, 1 insertion(+), 844 deletions(-)
 delete mode 100644 artifact/vault/signer.go
 delete mode 100644 artifact/vault/signer_test.go

diff --git a/artifact/vault/signer.go b/artifact/vault/signer.go
deleted file mode 100644
index ed61536..0000000
--- a/artifact/vault/signer.go
+++ /dev/null
@@ -1,264 +0,0 @@
-// Copyright 2022 Northern.tech AS
-//
-//    Licensed under the Apache License, Version 2.0 (the "License");
-//    you may not use this file except in compliance with the License.
-//    You may obtain a copy of the License at
-//
-//        http://www.apache.org/licenses/LICENSE-2.0
-//
-//    Unless required by applicable law or agreed to in writing, software
-//    distributed under the License is distributed on an "AS IS" BASIS,
-//    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-//    See the License for the specific language governing permissions and
-//    limitations under the License.
-
-package vault
-
-import (
-	"encoding/base64"
-	"os"
-	"strconv"
-	"strings"
-
-	"github.com/mendersoftware/mender-artifact/artifact"
-
-	vault "github.com/hashicorp/vault/api"
-	"github.com/minio/sha256-simd"
-	"github.com/pkg/errors"
-)
-
-type VaultSigner struct {
-	vaultClient vaultLogicalClient
-	mountPath   string
-	keyName     string
-	keyVersion  int
-}
-
-func NewVaultSigner(vaultKeyName string) (*VaultSigner, error) {
-	//Create Vault client
-	config := vault.DefaultConfig()
-	client, err := vault.NewClient(config)
-	if err != nil {
-		return nil, errors.Wrap(err, "error creating Hashicorp Vault client")
-	}
-
-	if os.Getenv("VAULT_TOKEN") == "" {
-		return nil, errors.New("Please provide a Hashicorp Vault token via " +
-			"VAULT_TOKEN environment variable.")
-	}
-
-	vaultMountPath := os.Getenv("VAULT_MOUNT_PATH")
-	if vaultMountPath == "" {
-		return nil, errors.New("Please provide the mount path of the used transit engine " +
-			"via VAULT_MOUNT_PATH environment variable.")
-	}
-
-	// Use key version from environment variable, if set.
-	// If not, use default key version (1)
-	vaultKeyVersion := 1
-	if os.Getenv("VAULT_KEY_VERSION") != "" {
-		vaultKeyVersion, err = strconv.Atoi(os.Getenv("VAULT_KEY_VERSION"))
-		if err != nil {
-			return nil, errors.Wrap(err, "Error converting VAULT_KEY_VERSION to integer")
-		}
-	}
-
-	return &VaultSigner{
-		vaultClient: client.Logical(),
-		mountPath:   vaultMountPath,
-		keyName:     vaultKeyName,
-		keyVersion:  vaultKeyVersion,
-	}, nil
-}
-
-func (s *VaultSigner) Sign(message []byte) ([]byte, error) {
-
-	// Hash message and convert hash to base64
-	hasher := sha256.New()
-	hasher.Write(message)
-	hash := base64.StdEncoding.EncodeToString(hasher.Sum(nil))
-
-	// Get key type from vault (RSA or ECDSA)
-	keyType, err := s.getKeyType()
-	if err != nil {
-		return nil, err
-	}
-
-	// Call signing function depending on keyType
-	if strings.HasPrefix(keyType, "ecdsa-p256") {
-		return s.VaultECDSASign(hash)
-	} else if strings.HasPrefix(keyType, "rsa") {
-		return s.VaultRSASign(hash)
-	}
-
-	return nil, errors.New("unsupported key type: " + keyType)
-}
-
-func (s *VaultSigner) Verify(message, sig []byte) error {
-	sm, err := s.getVaultKeyAndVerifyMethod()
-	if err != nil {
-		return errors.Wrap(err, "Error while generating verifier")
-	}
-
-	dec := make([]byte, base64.StdEncoding.DecodedLen(len(sig)))
-	decLen, err := base64.StdEncoding.Decode(dec, sig)
-	if err != nil {
-		return errors.Wrap(err, "signer: error decoding signature")
-	}
-
-	return sm.Method.Verify(message, dec[:decLen], sm.Key)
-}
-
-func (s *VaultSigner) getVaultKeyAndVerifyMethod() (*artifact.SigningMethod, error) {
-	// Get public key from Vault
-	response, err := s.vaultClient.Read(s.mountPath + "/keys/" + s.keyName)
-	if err != nil {
-		return nil, errors.Wrap(err, "signer: error getting public "+
-			"key from Hashicorp Vault")
-	}
-
-	if response == nil {
-		return nil, errors.New("error getting public key from Hashicorp Vault: " +
-			"Key \"" + s.keyName + "\" not found")
-	}
-	// Extract public key from response
-	keys, exist := response.Data["keys"]
-	if !exist {
-		return nil, errors.New("No keys found in response")
-	}
-
-	keys_map, ok := keys.(map[string]interface{})
-	if !ok {
-		return nil, errors.New("type assertion error: expected map[string]interface{}")
-	}
-
-	selected_key, exist := keys_map[strconv.Itoa(s.keyVersion)]
-	if !exist {
-		return nil, errors.New("Key version not found: v" + strconv.Itoa(s.keyVersion))
-	}
-
-	selected_key_map, ok := selected_key.(map[string]interface{})
-	if !ok {
-		return nil, errors.New("type assertion error: expected map[string]interface{}")
-	}
-
-	public_key, exist := selected_key_map["public_key"]
-	if !exist {
-		return nil, errors.New("Public key not found in response from Hashicorp Vault")
-	}
-
-	public_key_string, ok := public_key.(string)
-	if !ok {
-		return nil, errors.New("type assertion error: expected public key as string")
-	}
-
-	return artifact.GetKeyAndVerifyMethod([]byte(public_key_string))
-}
-
-func (s *VaultSigner) getKeyType() (string, error) {
-	// Get key type from vault (RSA or ECDSA)
-	response, err := s.vaultClient.Read(s.mountPath +
-		"/keys/" + s.keyName)
-	if err != nil {
-		return "", errors.Wrap(err, "error getting key type from Hashicorp Vault")
-	}
-
-	if response == nil {
-		return "", errors.New("error getting key type from Hashicorp Vault: " +
-			"Key \"" + s.keyName + "\" not found")
-	}
-
-	key_type, exist := response.Data["type"]
-	if !exist {
-		return "", errors.New("key type not found in response from Hashicorp Vault")
-	}
-
-	key_type_string, ok := key_type.(string)
-	if !ok {
-		return "", errors.New("type assertion error: expected key type as string")
-	}
-	return key_type_string, nil
-}
-
-func (s *VaultSigner) VaultECDSASign(hash string) ([]byte, error) {
-	// Generate string map for signing request
-	signing_request := map[string]interface{}{
-		"input":                hash,
-		"prehashed":            true,
-		"marshaling_algorithm": "jws",
-		"key_version":          s.keyVersion,
-	}
-
-	// Define path for vault client to sign the hash
-	path := s.mountPath + "/sign/" + s.keyName + "/sha2-256"
-
-	// Send signing request to Vault server
-	response, err := s.vaultClient.Write(path, signing_request)
-
-	// Check request Status Code
-	if err != nil {
-		return nil, errors.Wrap(err, "error sending signing request to Hashicorp Vault")
-	}
-
-	// Extract signature from Vault response
-	signature, exist := response.Data["signature"]
-	if !exist {
-		return nil, errors.New("signature not found in response from Hashicorp Vault")
-	}
-
-	signature_string, ok := signature.(string)
-	if !ok {
-		return nil, errors.New("type assertion error: expected signature as string")
-	}
-
-	// Vault signature is URL-safe base64 encoded.
-	// We need to re-encode it with standard base64.
-	signature_extracted := strings.Split(signature_string, ":")[2]
-	signature_raw, err := base64.RawURLEncoding.DecodeString(signature_extracted)
-
-	if err != nil {
-		return nil, errors.Wrap(err, "error while decoding signature")
-	}
-
-	return []byte(base64.StdEncoding.EncodeToString(signature_raw)), nil
-}
-
-func (s *VaultSigner) VaultRSASign(hash string) ([]byte, error) {
-	// Generate string map for signing request
-	signing_request := map[string]interface{}{
-		"input":               hash,
-		"prehashed":           true,
-		"signature_algorithm": "pkcs1v15",
-		"key_version":         s.keyVersion,
-	}
-
-	// Define path for vault client to sign the hash
-	path := s.mountPath + "/sign/" + s.keyName + "/sha2-256"
-
-	// Send signing request to Vault server
-	response, err := s.vaultClient.Write(path, signing_request)
-
-	// Check request status code
-	if err != nil {
-		return nil, errors.Wrap(err, "error sending signing request to Hashicorp Vault")
-	}
-
-	// Extract signature from Vault response
-	signature, exist := response.Data["signature"]
-	if !exist {
-		return nil, errors.New("signature not found in response from Hashicorp Vault")
-	}
-
-	signature_string, ok := signature.(string)
-	if !ok {
-		return nil, errors.New("type assertion error: expected signature as string")
-	}
-
-	signature_extracted := strings.Split(signature_string, ":")[2]
-	return []byte(signature_extracted), nil
-}
-
-type vaultLogicalClient interface {
-	Read(path string) (*vault.Secret, error)
-	Write(path string, data map[string]interface{}) (*vault.Secret, error)
-}
diff --git a/artifact/vault/signer_test.go b/artifact/vault/signer_test.go
deleted file mode 100644
index 17ecb3e..0000000
--- a/artifact/vault/signer_test.go
+++ /dev/null
@@ -1,556 +0,0 @@
-// Copyright 2022 Northern.tech AS
-//
-//    Licensed under the Apache License, Version 2.0 (the "License");
-//    you may not use this file except in compliance with the License.
-//    You may obtain a copy of the License at
-//
-//        http://www.apache.org/licenses/LICENSE-2.0
-//
-//    Unless required by applicable law or agreed to in writing, software
-//    distributed under the License is distributed on an "AS IS" BASIS,
-//    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-//    See the License for the specific language governing permissions and
-//    limitations under the License.
-
-package vault
-
-import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/rand"
-	"crypto/rsa"
-	"encoding/asn1"
-	"encoding/base64"
-	"math/big"
-	"os"
-	"testing"
-
-	vault "github.com/hashicorp/vault/api"
-	"github.com/mendersoftware/mender-artifact/artifact"
-	"github.com/pkg/errors"
-	"github.com/stretchr/testify/assert"
-)
-
-const (
-	PublicRSAKey = `-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvTNpmusLgLZgfNI9Q3hw
-No77GhlhMSA6eABo6VySYZLgREgKTuLJ3XCoPjzwZNAZ4mEDKEmI+Q53Pl+09SEI
-sWnuqNGByJbsfjLufPQ44hXgu3NuTafWzJWoWlDf7UbQxB5NFmKsxm2630Dn3n8q
-ekfFeGh3GqGQmAu0wq/atafqXbLQOj6EcVuWz9lXOuh69FZ8dMPIKsQusYhKQID3
-3Bqn3tiL3xLSk0BXTPPfgBHB6VeL5nx6rUeG9nktX/SZeaLmQwrvEahy2IhomW7T
-ofqIfhUwCb9gDSOR3qj04OCxV/wpRn8DkKO5priruZWxyKSYOSpJwAxmeKjRt0F8
-twIDAQAB
------END PUBLIC KEY-----`
-	PublicECKey = `-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjcVaILqOxs7FJdHGt8tmegcTPhWM
-dZRUTbT33lRY6f4z6ZNM6TiPNSr0paHZ+j/kFTbbrCVZ7cFxZVGVNLHU+Q==
------END PUBLIC KEY-----`
-	PrivateRSAKey = `-----BEGIN RSA PRIVATE KEY-----
-MIIEpgIBAAKCAQEAvTNpmusLgLZgfNI9Q3hwNo77GhlhMSA6eABo6VySYZLgREgK
-TuLJ3XCoPjzwZNAZ4mEDKEmI+Q53Pl+09SEIsWnuqNGByJbsfjLufPQ44hXgu3Nu
-TafWzJWoWlDf7UbQxB5NFmKsxm2630Dn3n8qekfFeGh3GqGQmAu0wq/atafqXbLQ
-Oj6EcVuWz9lXOuh69FZ8dMPIKsQusYhKQID33Bqn3tiL3xLSk0BXTPPfgBHB6VeL
-5nx6rUeG9nktX/SZeaLmQwrvEahy2IhomW7TofqIfhUwCb9gDSOR3qj04OCxV/wp
-Rn8DkKO5priruZWxyKSYOSpJwAxmeKjRt0F8twIDAQABAoIBAQCbzI1m66ySNhxo
-TPvz5maJFt6BlGqreH2NOdEqcXd87+TLdYM/iJNwTQfOEIJokdDu0LI3563qYVYi
-P8+Ul7o/1hqYW8WCt31RQoGO1dFNo3RnB9vKCK7h009J6BUtn8Xj6YvTJjheQhfD
-JgCKAK+q+BUNXQDPJkIaYnFcbFEuigSuXtR5FQvTlfp97gc5P3anIeT9ATtbIkhb
-E3qUxxoQzNZWZC12eXO4r4zA5YAiWPEuvJI5daJNto+lm2UivaNWahNB1BfpinI+
-lr2TBdUKqdxL6ObC6dUBMMlsFFQSPfcmVJWf9bLjNdq/xW93zk70IfZWyaxTzxXC
-UAHATxfJAoGBAPwZVLlFZOpMkrvZJiGytenJIm/+PNfXGvQm8NKfUWOU1dEDKi7x
-1eycUHDf+j5Pdh/dY/HNKkEUgNeEa93qaCT092J1mPE55qGV4DZgxskR8spra7QC
-bMQ8Hfv1ZQYtIqZHz33aaYlr4tmNjTfGS6lK2uxmMewq1R0IRySwpB+dAoGBAMAg
-6ngMt7C1/3ClGPRnwKTv+yrI6eFBKGdA0vkgAjFcGAyXzoGv076/jv60zVaQS9ji
-eqYYbhhRiWouzlNX9EO8Ad/WzYV14AkRsq7/xzr6hUrl/rhCbPXARK2GkgRK3qsJ
-SbmA5Ihw+u2hAzFJbhTLVRu1chndeU+W8F+t5l9jAoGBAMapO4/ItK7CavtnMtpp
-V1uFKgMxSUcZ9t6h9TM1Y1DjD9/m644U+2y6/dUFW9FQkxinQURiVkL04ldzvgEh
-4LIG7RAE9eJaq3l4fzi66Mu4vihvoG85XfcCHOrZxaOpW93HRya5QGOPxjOEjd1/
-AU7Gc2DJY9vlIQ4A4Pdzz9ItAoGBAJQCB366FVxdqE3n8cR+lQq7ERvRsVLlNjHs
-31opzWanEqPI4r5HbHDa81bGhBU2jiejuWZxFYdIcPrK2gmcjUEM+citmqBAwXlb
-F/L2ek22Jq8fZU4fZf8fwgiHzb7eypCqVBBC+ksd9kDPtDzo25PLXGI/Moo4crbc
-iYq71egPAoGBAN/gfUZE20KRk2AgTie01ydoQB0SpvIYj5ZVzcV2z341HZsYQbcD
-yG6mHrUFXGSL+FB6Pnc6tVbNXhzL532sBoh4hZKzxiUph0UBP+OcY0fTp5Tgc6dh
-1L1ls+PYSgNgaZ3Tt8/SfA0retntmk6AowRMxYYzqQJVtCbBFClls+km
------END RSA PRIVATE KEY-----`
-	PrivateECKey = `-----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIJ9sO+53ogvHC7BQoOFdUF1+VdQ44XrYJCfzC+Jd5SAmoAoGCCqGSM49
-AwEHoUQDQgAEjcVaILqOxs7FJdHGt8tmegcTPhWMdZRUTbT33lRY6f4z6ZNM6TiP
-NSr0paHZ+j/kFTbbrCVZ7cFxZVGVNLHU+Q==
------END EC PRIVATE KEY-----`
-)
-
-func TestVaultSignerCreation(t *testing.T) {
-	// Test normal vault client creation
-	os.Setenv("VAULT_TOKEN", "sometoken")
-	os.Setenv("VAULT_MOUNT_PATH", "some-mount-path")
-	client, err := NewVaultSigner("some-name")
-	assert.NoError(t, err)
-	assert.NotNil(t, client)
-	assert.IsType(t, &VaultSigner{}, client)
-	assert.IsType(t, &vault.Logical{}, client.vaultClient)
-
-	// Test error handling of vault client creation
-	os.Setenv("VAULT_TOKEN", "")
-	os.Setenv("VAULT_MOUNT_PATH", "1234")
-	client, err = NewVaultSigner("some-name")
-	assert.Error(t, err)
-	assert.Nil(t, client)
-
-	os.Setenv("VAULT_TOKEN", "1234")
-	os.Setenv("VAULT_MOUNT_PATH", "")
-	client, err = NewVaultSigner("some-name")
-	assert.Error(t, err)
-	assert.Nil(t, client)
-
-	os.Setenv("VAULT_TOKEN", "1234")
-	os.Setenv("VAULT_MOUNT_PATH", "1234")
-	os.Setenv("VAULT_KEY_VERSION", "2a")
-	client, err = NewVaultSigner("some-name")
-	assert.Error(t, err)
-	assert.Nil(t, client)
-}
-
-func TestGetKeyType(t *testing.T) {
-	// Test error handling of key information retrieval
-	vaultSigner := VaultSigner{vaultClient: &fakeVaultClient{
-		keyNotFound: true,
-		keyType:     "rsa-2048",
-		privateKey:  PrivateRSAKey,
-		publicKey:   PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err := vaultSigner.Sign([]byte("some-message"))
-	assert.Error(t, err)
-	assert.Nil(t, signature)
-
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		genericVaultReadError: true,
-		keyType:               "rsa-2048",
-		privateKey:            PrivateRSAKey,
-		publicKey:             PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err = vaultSigner.Sign([]byte("some-message"))
-	assert.Error(t, err)
-	assert.Nil(t, signature)
-
-	// Test unsupported key type
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		keyType:    "12345",
-		privateKey: PrivateRSAKey,
-		publicKey:  PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err = vaultSigner.Sign([]byte("some-message"))
-	assert.Error(t, err)
-	assert.Nil(t, signature)
-
-	// Test invalid response data handling
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		keyType:                "rsa-2048",
-		invalidKeyTypeResponse: true,
-		privateKey:             PrivateRSAKey,
-		publicKey:              PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err = vaultSigner.Sign([]byte("some-message"))
-	assert.Error(t, err)
-	assert.Nil(t, signature)
-
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		keyType:                "rsa-2048",
-		invalidKeyTypeResponse: true,
-		typeAssertionError:     true,
-		privateKey:             PrivateRSAKey,
-		publicKey:              PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err = vaultSigner.Sign([]byte("some-message"))
-	assert.Error(t, err)
-	assert.Nil(t, signature)
-}
-
-func TestVaultRSASign(t *testing.T) {
-	// Sign test message with fakeVaultClient
-	vaultSigner := VaultSigner{vaultClient: &fakeVaultClient{
-		keyType:    "rsa-2048",
-		privateKey: PrivateRSAKey,
-		publicKey:  PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err := vaultSigner.Sign([]byte("some-message"))
-	assert.NoError(t, err)
-	assert.NotNil(t, signature)
-
-	// Check if signature is valid
-	pkiVerifier, err := artifact.NewPKIVerifier([]byte(PublicRSAKey))
-	assert.NoError(t, err)
-	err = pkiVerifier.Verify([]byte("some-message"), signature)
-	assert.NoError(t, err)
-
-	// Test signer error handling
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		genericVaultWriteError: true,
-		keyType:                "rsa-2048",
-		privateKey:             PrivateRSAKey,
-		publicKey:              PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err = vaultSigner.Sign([]byte("some-message"))
-	assert.Nil(t, signature)
-	assert.Error(t, err)
-
-	// Test invalid signature response handling
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		invalidSignatureResponse: true,
-		keyType:                  "rsa-2048",
-		privateKey:               PrivateRSAKey,
-		publicKey:                PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err = vaultSigner.Sign([]byte("some-message"))
-	assert.Nil(t, signature)
-	assert.Error(t, err)
-
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		typeAssertionError:       true,
-		invalidSignatureResponse: true,
-		keyType:                  "rsa-2048",
-		privateKey:               PrivateRSAKey,
-		publicKey:                PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err = vaultSigner.Sign([]byte("some-message"))
-	assert.Nil(t, signature)
-	assert.Error(t, err)
-}
-
-func TestVaultECDSASign(t *testing.T) {
-	// Perform normal sign operation
-	vaultSigner := VaultSigner{vaultClient: &fakeVaultClient{
-		keyType:    "ecdsa-p256",
-		privateKey: PrivateECKey,
-		publicKey:  PublicECKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err := vaultSigner.Sign([]byte("some-message"))
-	assert.NoError(t, err)
-	assert.NotNil(t, signature)
-
-	// Check if signature is valid
-	pkiVerifier, err := artifact.NewPKIVerifier([]byte(PublicECKey))
-	assert.NoError(t, err)
-	err = pkiVerifier.Verify([]byte("some-message"), signature)
-	assert.NoError(t, err)
-
-	// Test vault signer error handling
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		genericVaultWriteError: true,
-		keyType:                "ecdsa-p256",
-		privateKey:             PrivateECKey,
-		publicKey:              PublicECKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err = vaultSigner.Sign([]byte("some-message"))
-	assert.Nil(t, signature)
-	assert.Error(t, err)
-
-	// Test invalid signature response handling
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		invalidSignatureResponse: true,
-		keyType:                  "ecdsa-p256",
-		privateKey:               PrivateECKey,
-		publicKey:                PublicECKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err = vaultSigner.Sign([]byte("some-message"))
-	assert.Nil(t, signature)
-	assert.Error(t, err)
-
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		invalidSignatureResponse: true,
-		typeAssertionError:       true,
-		keyType:                  "ecdsa-p256",
-		privateKey:               PrivateECKey,
-		publicKey:                PublicECKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	signature, err = vaultSigner.Sign([]byte("some-message"))
-	assert.Nil(t, signature)
-	assert.Error(t, err)
-}
-
-func TestVaultVerify(t *testing.T) {
-	// Generate a signature with existing PKISigner
-	pkiSigner, err := artifact.NewPKISigner([]byte(PrivateRSAKey))
-	assert.NoError(t, err)
-	assert.NotNil(t, pkiSigner)
-
-	signature, err := pkiSigner.Sign([]byte("some-message"))
-	assert.NoError(t, err)
-	assert.NotNil(t, signature)
-
-	// Check normal verify operation
-	vaultSigner := VaultSigner{vaultClient: &fakeVaultClient{
-		returnPublicKey: true,
-		keyType:         "rsa-2048",
-		privateKey:      PrivateRSAKey,
-		publicKey:       PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	err = vaultSigner.Verify([]byte("some-message"), signature)
-	assert.NoError(t, err)
-
-	// Test vault verify error handling
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		keyNotFound: true,
-		keyType:     "rsa-2048",
-		privateKey:  PrivateRSAKey,
-		publicKey:   PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	err = vaultSigner.Verify([]byte("some-message"), signature)
-	assert.Error(t, err)
-
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		genericVaultReadError: true,
-		keyType:               "rsa-2048",
-		privateKey:            PrivateRSAKey,
-		publicKey:             PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	err = vaultSigner.Verify([]byte("some-message"), signature)
-	assert.Error(t, err)
-
-	// Test Key Version not found
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		keyType:         "rsa-2048",
-		returnPublicKey: true,
-		privateKey:      PrivateRSAKey,
-		publicKey:       PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 2,
-	}
-	err = vaultSigner.Verify([]byte("some-message"), signature)
-	assert.Error(t, err)
-
-	// Test invalid response data handling
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		keyType:                  "rsa-2048",
-		invalidPublicKeyResponse: true,
-		privateKey:               PrivateRSAKey,
-		publicKey:                PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	err = vaultSigner.Verify([]byte("some-message"), signature)
-	assert.Error(t, err)
-
-	vaultSigner = VaultSigner{vaultClient: &fakeVaultClient{
-		keyType:                  "rsa-2048",
-		invalidPublicKeyResponse: true,
-		typeAssertionError:       true,
-		privateKey:               PrivateRSAKey,
-		publicKey:                PublicRSAKey,
-	},
-		mountPath:  "",
-		keyName:    "",
-		keyVersion: 1,
-	}
-	err = vaultSigner.Verify([]byte("some-message"), signature)
-	assert.Error(t, err)
-}
-
-type fakeVaultClient struct {
-	keyType                  string
-	privateKey               string
-	publicKey                string
-	keyNotFound              bool
-	typeAssertionError       bool
-	invalidKeyTypeResponse   bool
-	invalidSignatureResponse bool
-	invalidPublicKeyResponse bool
-	genericVaultReadError    bool
-	genericVaultWriteError   bool
-	returnPublicKey          bool
-}
-
-func (c *fakeVaultClient) Read(path string) (*vault.Secret, error) {
-	if c.genericVaultReadError {
-		return nil, errors.New("Vault Read error")
-	}
-
-	if c.keyNotFound {
-		return nil, nil
-	}
-
-	if c.invalidKeyTypeResponse {
-		var invalidKey map[string]interface{}
-		if c.typeAssertionError {
-			invalidKey = map[string]interface{}{
-				"type": 1,
-			}
-		} else {
-			invalidKey = map[string]interface{}{
-				"invalid": c.keyType,
-			}
-		}
-		return &vault.Secret{Data: invalidKey}, nil
-	}
-
-	if c.invalidPublicKeyResponse {
-		var publicKey map[string]interface{}
-		if c.typeAssertionError {
-			publicKey = map[string]interface{}{
-				"keys": map[string]interface{}{
-					"1": map[string]interface{}{
-						"public_key": 1,
-					},
-				},
-			}
-		} else {
-			publicKey = map[string]interface{}{
-				"keys": map[string]interface{}{
-					"1": map[string]interface{}{
-						"invalid": "invalid",
-					},
-				},
-			}
-		}
-		return &vault.Secret{Data: publicKey}, nil
-	}
-
-	if c.returnPublicKey {
-		publicKey := map[string]interface{}{
-			"keys": map[string]interface{}{
-				"1": map[string]interface{}{
-					"public_key": c.publicKey,
-				},
-			},
-		}
-		return &vault.Secret{Data: publicKey}, nil
-	}
-
-	testdata := map[string]interface{}{
-		"type": c.keyType,
-	}
-	return &vault.Secret{Data: testdata}, nil
-}
-
-func (c *fakeVaultClient) Write(path string, data map[string]interface{}) (*vault.Secret, error) {
-	if c.genericVaultWriteError {
-		return nil, errors.New("Vault Write errror")
-	}
-
-	if c.invalidSignatureResponse {
-		var responseData map[string]interface{}
-		if c.typeAssertionError {
-			responseData = map[string]interface{}{
-				"signature": 1,
-			}
-		} else {
-			responseData = map[string]interface{}{
-				"invalid": "12345",
-			}
-		}
-		return &vault.Secret{
-			Data: responseData,
-		}, nil
-	}
-
-	sm, err := artifact.GetKeyAndSignMethod([]byte(c.privateKey))
-	if err != nil {
-		return nil, errors.Wrap(err, "error getting key and sign method")
-	}
-	hash, err := base64.StdEncoding.DecodeString(data["input"].(string))
-	if err != nil {
-		return nil, errors.Wrap(err, "error decoding message hash")
-	}
-	switch c.keyType {
-	case "rsa-2048":
-		sig, err := rsa.SignPKCS1v15(rand.Reader, sm.Key.(*rsa.PrivateKey), crypto.SHA256, hash)
-		if err != nil {
-			return nil, errors.Wrap(err, "error signing message hash")
-		}
-		responseData := map[string]interface{}{
-			"signature": "vault:v1:" + base64.StdEncoding.EncodeToString(sig),
-		}
-		return &vault.Secret{
-			Data: responseData,
-		}, nil
-
-	case "ecdsa-p256":
-		privKey := sm.Key.(*ecdsa.PrivateKey)
-		sig, err := privKey.Sign(rand.Reader, hash, nil)
-		if err != nil {
-			return nil, errors.Wrap(err, "error signing message hash")
-		}
-		var parsedSig struct{ R, S *big.Int }
-		if _, err := asn1.Unmarshal(sig, &parsedSig); err != nil {
-			return nil, errors.Wrap(err, "signer: failed to parse ECDSA signature")
-		}
-		marshaledSigBytes, err := artifact.MarshalECDSASignature(parsedSig.R, parsedSig.S)
-		if err != nil {
-			return nil, err
-		}
-		responseData := map[string]interface{}{
-			"signature": "vault:v1:" + base64.RawURLEncoding.EncodeToString(marshaledSigBytes),
-		}
-		return &vault.Secret{
-			Data: responseData,
-		}, nil
-	}
-	return nil, nil
-}
diff --git a/cli/artifacts.go b/cli/artifacts.go
index 44e0d59..302f5bb 100644
--- a/cli/artifacts.go
+++ b/cli/artifacts.go
@@ -25,7 +25,6 @@ import (
 	"github.com/mendersoftware/mender-artifact/areader"
 	"github.com/mendersoftware/mender-artifact/artifact"
 	"github.com/mendersoftware/mender-artifact/artifact/gcp"
-	"github.com/mendersoftware/mender-artifact/artifact/vault"
 	"github.com/mendersoftware/mender-artifact/awriter"
 	"github.com/mendersoftware/mender-artifact/handlers"
 
@@ -126,7 +125,7 @@ type SigningKey interface {
 
 func getKey(c *cli.Context) (SigningKey, error) {
 	var chosenOptions []string
-	possibleOptions := []string{"key", "gcp-kms-key", "vault-transit-key", "key-pkcs11"}
+	possibleOptions := []string{"key", "gcp-kms-key", "key-pkcs11"}
 	for _, optName := range possibleOptions {
 		if c.String(optName) == "" {
 			continue
@@ -170,8 +169,6 @@ func getKey(c *cli.Context) (SigningKey, error) {
 			"please add command to allowlist", c.Command.Name, "key")
 	case "gcp-kms-key":
 		return gcp.NewKMSSigner(context.TODO(), c.String("gcp-kms-key"))
-	case "vault-transit-key":
-		return vault.NewVaultSigner(c.String("vault-transit-key"))
 	case "key-pkcs11":
 		return artifact.NewPKCS11Signer(c.String("key-pkcs11"))
 	default:
diff --git a/cli/cli.go b/cli/cli.go
index e7a35bc..25f8bc8 100644
--- a/cli/cli.go
+++ b/cli/cli.go
@@ -133,15 +133,6 @@ func getCliContext() *cli.App {
 			"the Artifact.",
 	}
 
-	vaultTransitKeyFlag := cli.StringFlag{
-		Name: "vault-transit-key",
-		Usage: "Key name of the Hashicorp Vault transit key that will be used to sign " +
-			"the Artifact. VAULT_TOKEN and VAULT_MOUNT_PATH environment variables " +
-			"needs to be provided. The default Hashicorp Vault URL can be overridden with " +
-			"VAULT_ADDR environment variable. If key rotation is used, the key version " +
-			"to sign can be specified with VAULT_KEY_VERSION environment variable.",
-	}
-
 	pkcs11Flag := cli.StringFlag{
 		Name:  "key-pkcs11",
 		Usage: "Use PKCS#11 interface to sign and verify artifacts",
@@ -250,7 +241,6 @@ func getCliContext() *cli.App {
 		},
 		privateKeyFlag,
 		gcpKMSKeyFlag,
-		vaultTransitKeyFlag,
 		cli.StringSliceFlag{
 			Name: "script, s",
 			Usage: "Full path to the state script(s). You can specify multiple " +
@@ -382,7 +372,6 @@ func getCliContext() *cli.App {
 		compressionFlag,
 		privateKeyFlag,
 		gcpKMSKeyFlag,
-		vaultTransitKeyFlag,
 		//////////////////////
 		// Sotware versions //
 		//////////////////////
@@ -435,7 +424,6 @@ func getCliContext() *cli.App {
 		payloadDepends,
 		privateKeyFlag,
 		gcpKMSKeyFlag,
-		vaultTransitKeyFlag,
 		/////////////////////////
 		// Version 3 specifics.//
 		/////////////////////////
@@ -470,7 +458,6 @@ func getCliContext() *cli.App {
 		Flags: []cli.Flag{
 			publicKeyFlag,
 			gcpKMSKeyFlag,
-			vaultTransitKeyFlag,
 			pkcs11Flag,
 		},
 	}
@@ -488,7 +475,6 @@ func getCliContext() *cli.App {
 		Flags: []cli.Flag{
 			publicKeyFlag,
 			gcpKMSKeyFlag,
-			vaultTransitKeyFlag,
 			pkcs11Flag,
 			cli.BoolFlag{
 				Name:  "no-progress",
@@ -512,7 +498,6 @@ func getCliContext() *cli.App {
 	sign.Flags = []cli.Flag{
 		privateKeyFlag,
 		gcpKMSKeyFlag,
-		vaultTransitKeyFlag,
 		cli.StringFlag{
 			Name: "output-path, o",
 			Usage: "Full path to output signed artifact file; " +
@@ -578,7 +563,6 @@ func getCliContext() *cli.App {
 		},
 		privateKeyFlag,
 		gcpKMSKeyFlag,
-		vaultTransitKeyFlag,
 		compressionFlag,
 	}
 	modify.Before = func(c *cli.Context) error {
@@ -603,7 +587,6 @@ func getCliContext() *cli.App {
 		compressionFlag,
 		privateKeyFlag,
 		gcpKMSKeyFlag,
-		vaultTransitKeyFlag,
 	}
 
 	cat := cli.Command{
diff --git a/cli/dump_test.go b/cli/dump_test.go
index 4a3fb8e..f9a6366 100644
--- a/cli/dump_test.go
+++ b/cli/dump_test.go
@@ -275,7 +275,6 @@ func testDumpContent(t *testing.T, imageType, printCmdline string) {
 		"device-type",
 		"file",
 		"gcp-kms-key",                  // Not tested in "dump".
-		"vault-transit-key",            // Not tested in "dump".
 		"key",                          // Not tested in "dump".
 		"legacy-rootfs-image-checksum", // Not relevant for "dump", which uses "module-image".
 		"meta-data",
diff --git a/cli/modify_existing_test.go b/cli/modify_existing_test.go
index 8067da7..c3e93ca 100644
--- a/cli/modify_existing_test.go
+++ b/cli/modify_existing_test.go
@@ -458,7 +458,6 @@ Updates:
 		"device-type",
 		"file",
 		"gcp-kms-key",
-		"vault-transit-key",
 		"key",
 		"output-path",
 		"script",
@@ -466,7 +465,6 @@ Updates:
 	modifyFlagsTested.addFlags([]string{
 		"artifact-name",
 		"gcp-kms-key",
-		"vault-transit-key",
 		"key",
 		"name",
 	})