From: Simon Josefsson <simon@josefsson.org>
Date: Thu, 11 Dec 2025 11:13:02 +0100
Subject: [PATCH] Disable hcVault
Forwarded: not-needed

diff --git a/pkg/signer/tink.go b/pkg/signer/tink.go
index a8f65fc..9dcc0f8 100644
--- a/pkg/signer/tink.go
+++ b/pkg/signer/tink.go
@@ -25,7 +25,6 @@ import (
 	tinkUtils "github.com/sigstore/sigstore/pkg/signature/tink"
 	"github.com/tink-crypto/tink-go-awskms/v2/integration/awskms"
 	"github.com/tink-crypto/tink-go-gcpkms/v2/integration/gcpkms"
-	"github.com/tink-crypto/tink-go-hcvault/v2/integration/hcvault"
 	"github.com/tink-crypto/tink-go/v2/core/registry"
 	"github.com/tink-crypto/tink-go/v2/keyset"
 	"github.com/tink-crypto/tink-go/v2/tink"
@@ -68,13 +67,6 @@ func GetPrimaryKey(ctx context.Context, kmsKey, hcVaultToken string) (tink.AEAD,
 		}
 		registry.RegisterKMSClient(awsClient)
 		return awsClient.GetAEAD(kmsKey)
-	case strings.HasPrefix(kmsKey, "hcvault://"):
-		hcVaultClient, err := hcvault.NewClient(kmsKey, nil, hcVaultToken)
-		if err != nil {
-			return nil, err
-		}
-		registry.RegisterKMSClient(hcVaultClient)
-		return hcVaultClient.GetAEAD(kmsKey)
 	default:
 		return nil, errors.New("unsupported Tink KMS key type")
 	}