diff --git a/cmd/fetch-tsa-certs/fetch_tsa_certs.go b/cmd/fetch-tsa-certs/fetch_tsa_certs.go
index 012cccd7..8a75ade5 100644
--- a/cmd/fetch-tsa-certs/fetch_tsa_certs.go
+++ b/cmd/fetch-tsa-certs/fetch_tsa_certs.go
@@ -195,7 +195,7 @@ func fetchCertificateChain(ctx context.Context, parent, intermediateKMSKey, leaf
 		if err != nil {
 			return nil, err
 		}
-		leafKMSSigner, err = signer.KeyHandleToSigner(kh)
+		leafKMSSigner, _, err = signer.KeyHandleToSigner(kh)
 		if err != nil {
 			return nil, err
 		}
diff --git a/go.mod b/go.mod
index d25ded45..3b57786a 100644
--- a/go.mod
+++ b/go.mod
@@ -40,6 +40,16 @@ require (
 	sigs.k8s.io/release-utils v0.7.7
 )
 
+replace github.com/sigstore/sigstore => github.com/malancas/sigstore v0.0.0-20231206031758-2ec4921c801c
+
+replace github.com/sigstore/sigstore/pkg/signature/kms/aws => github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231206031758-2ec4921c801c
+
+replace github.com/sigstore/sigstore/pkg/signature/kms/azure => github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231206031758-2ec4921c801c
+
+replace github.com/sigstore/sigstore/pkg/signature/kms/gcp => github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231206031758-2ec4921c801c
+
+replace github.com/sigstore/sigstore/pkg/signature/kms/hashivault => github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231206031758-2ec4921c801c
+
 require (
 	cloud.google.com/go v0.110.10 // indirect
 	cloud.google.com/go/compute v1.23.3 // indirect
@@ -55,20 +65,21 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go v1.48.7 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.21.2 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.19.1 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.43 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect
-	github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 // indirect
-	github.com/aws/smithy-go v1.15.0 // indirect
+	github.com/aws/aws-sdk-go v1.48.11 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.23.5 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.25.11 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.16.9 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.8 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.8 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/kms v1.27.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.18.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.26.2 // indirect
+	github.com/aws/smithy-go v1.18.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
@@ -138,7 +149,7 @@ require (
 	go.uber.org/multierr v1.10.0 // indirect
 	golang.org/x/crypto v0.16.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
-	golang.org/x/oauth2 v0.14.0 // indirect
+	golang.org/x/oauth2 v0.15.0 // indirect
 	golang.org/x/sync v0.5.0 // indirect
 	golang.org/x/sys v0.15.0 // indirect
 	golang.org/x/term v0.15.0 // indirect
diff --git a/go.sum b/go.sum
index 60df5ba1..f5b2f6d9 100644
--- a/go.sum
+++ b/go.sum
@@ -72,34 +72,36 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
-github.com/aws/aws-sdk-go v1.48.7 h1:gDcOhmkohlNk20j0uWpko5cLBbwSkB+xpkshQO45F7Y=
-github.com/aws/aws-sdk-go v1.48.7/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
-github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA=
-github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM=
-github.com/aws/aws-sdk-go-v2/config v1.19.1 h1:oe3vqcGftyk40icfLymhhhNysAwk0NfiwkDi2GTPMXs=
-github.com/aws/aws-sdk-go-v2/config v1.19.1/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 h1:hze8YsjSh8Wl1rYa1CJpRmXP21BvOBuc76YhW0HsuQ4=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45/go.mod h1:lD5M20o09/LCuQ2mE62Mb/iSdSlCNuj6H5ci7tW7OsE=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck=
-github.com/aws/aws-sdk-go-v2/service/kms v1.24.7 h1:uRGw0UKo5hc7M2T7uGsK/Yg2qwecq/dnVjQbbq9RCzY=
-github.com/aws/aws-sdk-go-v2/service/kms v1.24.7/go.mod h1:z3O9CXfVrKAV3c9fMWOUUv2C6N2ggXCDHeXpOB6lAEk=
-github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k=
-github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 h1:HFiiRkf1SdaAmV3/BHOFZ9DjFynPHj8G/UIO1lQS+fk=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3/go.mod h1:a7bHA82fyUXOm+ZSWKU6PIoBxrjSprdLoM8xPYvzYVg=
-github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 h1:0BkLfgeDjfZnZ+MhB3ONb01u9pwFYTCZVhlsSSBvlbU=
-github.com/aws/aws-sdk-go-v2/service/sts v1.23.2/go.mod h1:Eows6e1uQEsc4ZaHANmsPRzAKcVDrcmjjWiih2+HUUQ=
-github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8=
-github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/aws/aws-sdk-go v1.48.11 h1:9YbiSbaF/jWi+qLRl+J5dEhr2mcbDYHmKg2V7RBcD5M=
+github.com/aws/aws-sdk-go v1.48.11/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go-v2 v1.23.5 h1:xK6C4udTyDMd82RFvNkDQxtAd00xlzFUtX4fF2nMZyg=
+github.com/aws/aws-sdk-go-v2 v1.23.5/go.mod h1:t3szzKfP0NeRU27uBFczDivYJjsmSnqI8kIvKyWb9ds=
+github.com/aws/aws-sdk-go-v2/config v1.25.11 h1:RWzp7jhPRliIcACefGkKp03L0Yofmd2p8M25kbiyvno=
+github.com/aws/aws-sdk-go-v2/config v1.25.11/go.mod h1:BVUs0chMdygHsQtvaMyEOpW2GIW+ubrxJLgIz/JU29s=
+github.com/aws/aws-sdk-go-v2/credentials v1.16.9 h1:LQo3MUIOzod9JdUK+wxmSdgzLVYUbII3jXn3S/HJZU0=
+github.com/aws/aws-sdk-go-v2/credentials v1.16.9/go.mod h1:R7mDuIJoCjH6TxGUc/cylE7Lp/o0bhKVoxdBThsjqCM=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9 h1:FZVFahMyZle6WcogZCOxo6D/lkDA2lqKIn4/ueUmVXw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.9/go.mod h1:kjq7REMIkxdtcEC9/4BVXjOsNY5isz6jQbEgk6osRTU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.8 h1:8GVZIR0y6JRIUNSYI1xAMF4HDfV8H/bOsZ/8AD/uY5Q=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.8/go.mod h1:rwBfu0SoUkBUZndVgPZKAD9Y2JigaZtRP68unRiYToQ=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.8 h1:ZE2ds/qeBkhk3yqYvS3CDCFNvd9ir5hMjlVStLZWrvM=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.8/go.mod h1:/lAPPymDYL023+TS6DJmjuL42nxix2AvEvfjqOBRODk=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 h1:uR9lXYjdPX0xY+NhvaJ4dD8rpSRz5VY81ccIIoNG+lw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.3 h1:e3PCNeEaev/ZF01cQyNZgmYE9oYYePIMJs2mWSKG514=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.3/go.mod h1:gIeeNyaL8tIEqZrzAnTeyhHcE0yysCtcaP+N9kxLZ+E=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.8 h1:EamsKe+ZjkOQjDdHd86/JCEucjFKQ9T0atWKO4s2Lgs=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.8/go.mod h1:Q0vV3/csTpbkfKLI5Sb56cJQTCTtJ0ixdb7P+Wedqiw=
+github.com/aws/aws-sdk-go-v2/service/kms v1.27.2 h1:I0NiSQiZu1UzP0akJWXSacjckEpYdN4VN7XYYfW6EYs=
+github.com/aws/aws-sdk-go-v2/service/kms v1.27.2/go.mod h1:E2IzqbIZfYuYUgib2KxlaweBbkxHCb3ZIgnp85TjKic=
+github.com/aws/aws-sdk-go-v2/service/sso v1.18.2 h1:xJPydhNm0Hiqct5TVKEuHG7weC0+sOs4MUnd7A5n5F4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.18.2/go.mod h1:zxk6y1X2KXThESWMS5CrKRvISD8mbIMab6nZrCGxDG0=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.2 h1:8dU9zqA77C5egbU6yd4hFLaiIdPv3rU+6cp7sz5FjCU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.2/go.mod h1:7Lt5mjQ8x5rVdKqg+sKKDeuwoszDJIIPmkd8BVsEdS0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.26.2 h1:fFrLsy08wEbAisqW3KDl/cPHrF43GmV79zXB9EwJiZw=
+github.com/aws/aws-sdk-go-v2/service/sts v1.26.2/go.mod h1:7Ld9eTqocTvJqqJ5K/orbSDwmGcpRdlDiLjz2DO+SL8=
+github.com/aws/smithy-go v1.18.1 h1:pOdBTUfXNazOlxLrgeYalVnuTpKreACHtc62xLwIB3c=
+github.com/aws/smithy-go v1.18.1/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
 github.com/beevik/ntp v1.3.0 h1:/w5VhpW5BGKS37vFm1p9oVk/t4HnnkKZAZIubHM6F7Q=
 github.com/beevik/ntp v1.3.0/go.mod h1:vD6h1um4kzXpqmLTuu0cCLcC+NfvC0IC+ltmEDA8E78=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -284,7 +286,6 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.16.1 h1:rUEt426sR6nyrL3gt+18ibRcvYpKYdpsa5ZW7MA08dQ=
@@ -398,6 +399,16 @@ github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/malancas/sigstore v0.0.0-20231206031758-2ec4921c801c h1:V3NMY5gJJB901liy3e5IjMLTLqeiziHBRsKVVXg8bOg=
+github.com/malancas/sigstore v0.0.0-20231206031758-2ec4921c801c/go.mod h1:FJE+NpEZIs4QKqZl4B2RtaVLVDcDtocAwTiNlexeBkY=
+github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231206031758-2ec4921c801c h1:hgdNICpzmn9rGFmSwOryooOscYanM4vsX7KQQzQFBLc=
+github.com/malancas/sigstore/pkg/signature/kms/aws v0.0.0-20231206031758-2ec4921c801c/go.mod h1:3zOHOLHnCE6EXyVH+6Z/lC9O1RDsbmR045NQ1DogiHw=
+github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231206031758-2ec4921c801c h1:5TE5NfEiQ+xVi6r+HfH8ILcE6FQCSSyYEboay6JWBSA=
+github.com/malancas/sigstore/pkg/signature/kms/azure v0.0.0-20231206031758-2ec4921c801c/go.mod h1:LH+ct6D77J8Ks6PXijMYYhmlQ1mbqKHbmy7+Sw5/Woc=
+github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231206031758-2ec4921c801c h1:/Z42a+cxoa9zAPmIiVakeITFpaFyAoNEbBVLbuLx898=
+github.com/malancas/sigstore/pkg/signature/kms/gcp v0.0.0-20231206031758-2ec4921c801c/go.mod h1:Hwhlx8JSZJF1R27JlwW/Bl2h40reG3MfKANREtBI0L8=
+github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231206031758-2ec4921c801c h1:LvGdjfm+9LdQIEegxysv7+8UDOFYrtNfA+nJFKcIJ3Y=
+github.com/malancas/sigstore/pkg/signature/kms/hashivault v0.0.0-20231206031758-2ec4921c801c/go.mod h1:/l/PzSbTOuIAtglOwUdlzzYvjIZ2WyaBpt5722JTmLY=
 github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE=
 github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
@@ -464,16 +475,6 @@ github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6g
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
 github.com/secure-systems-lab/go-securesystemslib v0.7.0 h1:OwvJ5jQf9LnIAS83waAjPbcMsODrTQUpJ02eNLUoxBg=
 github.com/secure-systems-lab/go-securesystemslib v0.7.0/go.mod h1:/2gYnlnHVQ6xeGtfIqFy7Do03K4cdCY0A/GlJLDKLHI=
-github.com/sigstore/sigstore v1.7.5 h1:ij55dBhLwjICmLTBJZm7SqoQLdsu/oowDanACcJNs48=
-github.com/sigstore/sigstore v1.7.5/go.mod h1:9OCmYWhzuq/G4e1cy9m297tuMRJ1LExyrXY3ZC3Zt/s=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.5 h1:ilufPp36exfpivctI3ElU4ZTckP3eVu6RxYebBb6u+M=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.5/go.mod h1:121n8nBnuXbcI6K0hIBo/0EMYiyXqGVzbIYd0rV0ZWw=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.5 h1:gLdNJJo+xMf7+IeFRlyA/Pjavndo9rivmf5ioYeuPmM=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.5/go.mod h1:9nJQA5YgWsXrwjrVoVaO8JfTI/TpPF+oAkpkNKZu6lo=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.7.5 h1:Ku3MD55VXR7+uezCS4LOY0+y2EZFlGCGFyzl+ZSoPyo=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.7.5/go.mod h1:FsNzxmFGATZS5ynkJLLXm9g2zHD0Xw23iJs7lM/asPo=
-github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.5 h1:yWNBuL52Je3ukUGry1qwg00ujJF2UFWShzXFIAtmxZU=
-github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.7.5/go.mod h1:EI9vDWVGG8fQU9aFMY7Bd204xJiqmXcDMSkFifCf16Q=
 github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
@@ -662,8 +663,8 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
-golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
+golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ=
+golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
diff --git a/pkg/api/api.go b/pkg/api/api.go
index 817463ce..1d62e710 100644
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -18,7 +18,6 @@ package api
 import (
 	"bytes"
 	"context"
-	"crypto"
 	"crypto/x509"
 	"fmt"
 	"os"
@@ -34,10 +33,9 @@ import (
 )
 
 type API struct {
-	tsaSigner     crypto.Signer       // the signer to use for timestamping
-	tsaSignerHash crypto.Hash         // hash algorithm used to hash pre-signed timestamps
-	certChain     []*x509.Certificate // timestamping cert chain
-	certChainPem  string              // PEM encoded timestamping cert chain
+	tsaSigner    signer.WrappedSigner // the signer to use for timestamping
+	certChain    []*x509.Certificate     // timestamping cert chain
+	certChainPem string                  // PEM encoded timestamping cert chain
 }
 
 func NewAPI() (*API, error) {
@@ -47,12 +45,17 @@ func NewAPI() (*API, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "error getting hash")
 	}
-	tsaSigner, err := signer.NewCryptoSigner(ctx, tsaSignerHash,
-		viper.GetString("timestamp-signer"),
-		viper.GetString("kms-key-resource"),
-		viper.GetString("tink-key-resource"), viper.GetString("tink-keyset-path"),
-		viper.GetString("tink-hcvault-token"),
-		viper.GetString("file-signer-key-path"), viper.GetString("file-signer-passwd"))
+
+	config := signer.Config{
+		Scheme:           signer.Scheme(viper.GetString("timestamp-signer")),
+		CloudKMSKey:      viper.GetString("kms-key-resource"),
+		TinkKMSKey:       viper.GetString("tink-key-resource"),
+		TinkKeysetPath:   viper.GetString("tink-keyset-path"),
+		HCVaultToken:     viper.GetString("tink-hcvault-token"),
+		FileSignerPath:   viper.GetString("file-signer-key-path"),
+		FileSignerPasswd: viper.GetString("file-signer-passwd"),
+	}
+	tsaSigner, err := signer.NewCryptoSigner(ctx, tsaSignerHash, config)
 	if err != nil {
 		return nil, errors.Wrap(err, "getting new tsa signer")
 	}
@@ -60,7 +63,7 @@ func NewAPI() (*API, error) {
 	var certChain []*x509.Certificate
 
 	// KMS, Tink and File signers require a provided certificate chain
-	if viper.GetString("timestamp-signer") != signer.MemoryScheme {
+	if signer.Scheme(viper.GetString("timestamp-signer")) != signer.MemoryScheme {
 		certChainPath := viper.GetString("certificate-chain-path")
 		data, err := os.ReadFile(filepath.Clean(certChainPath))
 		if err != nil {
@@ -87,10 +90,9 @@ func NewAPI() (*API, error) {
 	}
 
 	return &API{
-		tsaSigner:     tsaSigner,
-		tsaSignerHash: tsaSignerHash,
-		certChain:     certChain,
-		certChainPem:  string(certChainPEM),
+		tsaSigner:    tsaSigner,
+		certChain:    certChain,
+		certChainPem: string(certChainPEM),
 	}, nil
 }
 
diff --git a/pkg/api/timestamp.go b/pkg/api/timestamp.go
index b17a538f..72d31e32 100644
--- a/pkg/api/timestamp.go
+++ b/pkg/api/timestamp.go
@@ -173,7 +173,7 @@ func TimestampResponseHandler(params ts.GetTimestampResponseParams) middleware.R
 		ExtraExtensions:   req.Extensions,
 	}
 
-	resp, err := tsStruct.CreateResponseWithOpts(api.certChain[0], api.tsaSigner, api.tsaSignerHash)
+	resp, err := tsStruct.CreateResponseWithOpts(api.certChain[0], api.tsaSigner, api.tsaSigner.HashFunc())
 	if err != nil {
 		return handleTimestampAPIError(params, http.StatusInternalServerError, err, failedToGenerateTimestampResponse)
 	}
diff --git a/pkg/signer/file.go b/pkg/signer/file.go
index c268cb0f..dcc88754 100644
--- a/pkg/signer/file.go
+++ b/pkg/signer/file.go
@@ -28,6 +28,11 @@ import (
 // File returns a file-based signer and verifier, used for local testing
 type File struct {
 	crypto.Signer
+	hashFunc crypto.Hash
+}
+
+func (f File) HashFunc() crypto.Hash {
+	return f.hashFunc
 }
 
 func NewFileSigner(keyPath, keyPass string, hash crypto.Hash) (*File, error) {
@@ -35,6 +40,7 @@ func NewFileSigner(keyPath, keyPass string, hash crypto.Hash) (*File, error) {
 	if err != nil {
 		return nil, fmt.Errorf("file: provide a valid signer, %s is not valid: %w", keyPath, err)
 	}
+
 	// Cannot use signature.LoadSignerVerifier because the SignerVerifier interface does not extend crypto.Signer
 	switch pk := opaqueKey.(type) {
 	case *rsa.PrivateKey:
@@ -42,19 +48,19 @@ func NewFileSigner(keyPath, keyPass string, hash crypto.Hash) (*File, error) {
 		if err != nil {
 			return nil, err
 		}
-		return &File{signer}, nil
+		return &File{signer, hash}, nil
 	case *ecdsa.PrivateKey:
 		signer, err := signature.LoadECDSASignerVerifier(pk, hash)
 		if err != nil {
 			return nil, err
 		}
-		return &File{signer}, nil
+		return &File{signer, hash}, nil
 	case ed25519.PrivateKey:
 		signer, err := signature.LoadED25519SignerVerifier(pk)
 		if err != nil {
 			return nil, err
 		}
-		return &File{signer}, nil
+		return &File{signer, hash}, nil
 	default:
 		return nil, fmt.Errorf("unsupported private key type, must be RSA, ECDSA, or ED25519")
 	}
diff --git a/pkg/signer/memory.go b/pkg/signer/memory.go
index 15593b78..bc25873f 100644
--- a/pkg/signer/memory.go
+++ b/pkg/signer/memory.go
@@ -30,6 +30,15 @@ import (
 	tsx509 "github.com/sigstore/timestamp-authority/pkg/x509"
 )
 
+type Memory struct {
+	crypto.Signer
+	hashFunc crypto.Hash
+}
+
+func (m Memory) HashFunc() crypto.Hash {
+	return m.hashFunc
+}
+
 // NewTimestampingCertWithChain generates an in-memory certificate chain.
 func NewTimestampingCertWithChain(signer crypto.Signer) ([]*x509.Certificate, error) {
 	now := time.Now()
diff --git a/pkg/signer/memory_test.go b/pkg/signer/memory_test.go
index ca03d114..b83aba2c 100644
--- a/pkg/signer/memory_test.go
+++ b/pkg/signer/memory_test.go
@@ -30,7 +30,10 @@ import (
 func TestNewTimestampingCertWithChain(t *testing.T) {
 	ctx := context.Background()
 
-	signer, err := NewCryptoSigner(ctx, crypto.Hash(0), "memory", "", "", "", "", "", "")
+	config := Config{
+		Scheme: MemoryScheme,
+	}
+	signer, err := NewCryptoSigner(ctx, crypto.Hash(0), config)
 	if err != nil {
 		t.Fatalf("new signer: %v", err)
 	}
diff --git a/pkg/signer/signer.go b/pkg/signer/signer.go
index b9b9663a..c1e783ab 100644
--- a/pkg/signer/signer.go
+++ b/pkg/signer/signer.go
@@ -32,33 +32,64 @@ import (
 	_ "github.com/sigstore/sigstore/pkg/signature/kms/hashivault"
 )
 
-const KMSScheme = "kms"
-const TinkScheme = "tink"
-const MemoryScheme = "memory"
-const FileScheme = "file"
+type Scheme string
 
-func NewCryptoSigner(ctx context.Context, hash crypto.Hash, signer, kmsKey, tinkKmsKey, tinkKeysetPath, hcVaultToken, fileSignerPath, fileSignerPasswd string) (crypto.Signer, error) {
-	switch signer {
+const (
+	KMSScheme    Scheme = "kms"
+	TinkScheme   Scheme = "tink"
+	MemoryScheme Scheme = "memory"
+	FileScheme   Scheme = "file"
+)
+
+type WrappedSigner interface {
+	crypto.Signer
+	HashFunc() crypto.Hash
+}
+
+type KMS struct {
+	crypto.Signer
+	hashFunc crypto.Hash
+}
+
+func (k KMS) HashFunc() crypto.Hash {
+	return k.hashFunc
+}
+
+type Config struct {
+	Scheme           Scheme
+	CloudKMSKey      string
+	TinkKMSKey       string
+	TinkKeysetPath   string
+	HCVaultToken     string
+	FileSignerPath   string
+	FileSignerPasswd string
+}
+
+func NewCryptoSigner(ctx context.Context, hash crypto.Hash, config Config) (WrappedSigner, error) {
+	switch config.Scheme {
 	case MemoryScheme:
 		sv, _, err := signature.NewECDSASignerVerifier(elliptic.P256(), rand.Reader, crypto.SHA256)
-		return sv, err
+		return Memory{sv, crypto.SHA256}, err
 	case FileScheme:
-		return NewFileSigner(fileSignerPath, fileSignerPasswd, hash)
+		return NewFileSigner(config.FileSignerPath, config.FileSignerPasswd, hash)
 	case KMSScheme:
-		signer, err := kms.Get(ctx, kmsKey, hash) // hash is ignored for all KMS providers except Hashivault
+		signer, err := kms.Get(ctx, config.CloudKMSKey, hash) // hash is ignored for all KMS providers except Hashivault
 		if err != nil {
 			return nil, err
 		}
-		s, _, err := signer.CryptoSigner(ctx, func(err error) {})
-		return s, err
+		s, signerOpts, err := signer.CryptoSigner(ctx, func(err error) {})
+		return KMS{
+			s,
+			signerOpts.HashFunc(),
+		}, err
 	case TinkScheme:
-		primaryKey, err := GetPrimaryKey(ctx, tinkKmsKey, hcVaultToken)
+		primaryKey, err := GetPrimaryKey(ctx, config.TinkKMSKey, config.HCVaultToken)
 		if err != nil {
 			return nil, err
 		}
-		return NewTinkSigner(ctx, tinkKeysetPath, primaryKey)
+		return NewTinkSigner(ctx, config.TinkKeysetPath, primaryKey)
 	default:
-		return nil, fmt.Errorf("unsupported signer type: %s", signer)
+		return nil, fmt.Errorf("unsupported signer type: %s", config.Scheme)
 	}
 }
 
diff --git a/pkg/signer/tink.go b/pkg/signer/tink.go
index 6a602cb8..598474b5 100644
--- a/pkg/signer/tink.go
+++ b/pkg/signer/tink.go
@@ -50,8 +50,17 @@ var (
 	ed25519SignerTypeURL    = "type.googleapis.com/google.crypto.tink.Ed25519PrivateKey"
 )
 
+type Tink struct {
+	crypto.Signer
+	hashFunc crypto.Hash
+}
+
+func (t Tink) HashFunc() crypto.Hash {
+	return t.hashFunc
+}
+
 // NewTinkSigner creates a signer by decrypting a local Tink keyset with a remote KMS encryption key
-func NewTinkSigner(_ context.Context, tinkKeysetPath string, primaryKey tink.AEAD) (crypto.Signer, error) {
+func NewTinkSigner(_ context.Context, tinkKeysetPath string, primaryKey tink.AEAD) (*Tink, error) {
 	f, err := os.Open(filepath.Clean(tinkKeysetPath))
 	if err != nil {
 		return nil, err
@@ -62,11 +71,29 @@ func NewTinkSigner(_ context.Context, tinkKeysetPath string, primaryKey tink.AEA
 	if err != nil {
 		return nil, err
 	}
-	signer, err := KeyHandleToSigner(kh)
+	signer, hashName, err := KeyHandleToSigner(kh)
 	if err != nil {
 		return nil, err
 	}
-	return signer, nil
+
+	t := Tink{
+		signer,
+		getHashFromName(hashName),
+	}
+	return &t, nil
+}
+
+func getHashFromName(name string) crypto.Hash {
+	lowercaseAlg := strings.ToLower(name)
+	switch lowercaseAlg {
+	case "sha256":
+		return crypto.SHA256
+	case "sha384":
+		return crypto.SHA384
+	case "sha512":
+		return crypto.SHA512
+	}
+	return crypto.Hash(0)
 }
 
 // GetPrimaryKey returns a Tink AEAD encryption key from KMS
@@ -101,13 +128,13 @@ func GetPrimaryKey(ctx context.Context, kmsKey, hcVaultToken string) (tink.AEAD,
 
 // KeyHandleToSigner converts a key handle to the crypto.Signer interface.
 // Heavily pulls from Tink's signature and subtle packages.
-func KeyHandleToSigner(kh *keyset.Handle) (crypto.Signer, error) {
+func KeyHandleToSigner(kh *keyset.Handle) (crypto.Signer, string, error) {
 	// extract the key material from the key handle
 	ks := insecurecleartextkeyset.KeysetMaterial(kh)
 
 	k := getPrimaryKey(ks)
 	if k == nil {
-		return nil, errors.New("no enabled key found in keyset")
+		return nil, "", errors.New("no enabled key found in keyset")
 	}
 
 	switch k.GetTypeUrl() {
@@ -115,33 +142,33 @@ func KeyHandleToSigner(kh *keyset.Handle) (crypto.Signer, error) {
 		// https://github.com/google/tink/blob/9753ffddd4d04aa56e0605ff4a0db46f2fb80529/go/signature/ecdsa_signer_key_manager.go#L48
 		privKey := new(ecdsapb.EcdsaPrivateKey)
 		if err := proto.Unmarshal(k.GetValue(), privKey); err != nil {
-			return nil, fmt.Errorf("error unmarshalling ecdsa private key: %w", err)
+			return nil, "", fmt.Errorf("error unmarshalling ecdsa private key: %w", err)
 		}
 		if err := validateEcdsaPrivKey(privKey); err != nil {
-			return nil, fmt.Errorf("error validating ecdsa private key: %w", err)
+			return nil, "", fmt.Errorf("error validating ecdsa private key: %w", err)
 		}
 		// https://github.com/google/tink/blob/9753ffddd4d04aa56e0605ff4a0db46f2fb80529/go/signature/subtle/ecdsa_signer.go#L39
-		_, curve, _ := getECDSAParamNames(privKey.PublicKey.Params)
+		hashName, curve, _ := getECDSAParamNames(privKey.PublicKey.Params)
 		p := new(ecdsa.PrivateKey)
 		c := subtle.GetCurve(curve)
 		p.PublicKey.Curve = c
 		p.D = new(big.Int).SetBytes(privKey.GetKeyValue())
 		p.PublicKey.X, p.PublicKey.Y = c.ScalarBaseMult(privKey.GetKeyValue())
-		return p, nil
+		return p, hashName, nil
 	case ed25519SignerTypeURL:
 		// https://github.com/google/tink/blob/9753ffddd4d04aa56e0605ff4a0db46f2fb80529/go/signature/ed25519_signer_key_manager.go#L47
 		privKey := new(ed25519pb.Ed25519PrivateKey)
 		if err := proto.Unmarshal(k.GetValue(), privKey); err != nil {
-			return nil, fmt.Errorf("error unmarshalling ed25519 private key: %w", err)
+			return nil, "", fmt.Errorf("error unmarshalling ed25519 private key: %w", err)
 		}
 		if err := validateEd25519PrivKey(privKey); err != nil {
-			return nil, fmt.Errorf("error validating ed25519 private key: %w", err)
+			return nil, "", fmt.Errorf("error validating ed25519 private key: %w", err)
 		}
 		// https://github.com/google/tink/blob/9753ffddd4d04aa56e0605ff4a0db46f2fb80529/go/signature/subtle/ed25519_signer.go#L29
 		p := ed25519.NewKeyFromSeed(privKey.GetKeyValue())
-		return p, nil
+		return p, "", nil
 	default:
-		return nil, fmt.Errorf("unsupported key type: %s", k.GetTypeUrl())
+		return nil, "", fmt.Errorf("unsupported key type: %s", k.GetTypeUrl())
 	}
 }
 
diff --git a/pkg/signer/tink_test.go b/pkg/signer/tink_test.go
index d08338c5..84ae0262 100644
--- a/pkg/signer/tink_test.go
+++ b/pkg/signer/tink_test.go
@@ -16,6 +16,7 @@ package signer
 
 import (
 	"context"
+	"crypto"
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rand"
@@ -35,68 +36,94 @@ import (
 	"github.com/google/tink/go/signature"
 )
 
-type TestStruct struct {
-	keyTemplate *tink_go_proto.KeyTemplate
-	h           hash.Hash
-}
-
 func TestNewTinkSigner(t *testing.T) {
-	aeskh, err := keyset.NewHandle(aead.AES256GCMKeyTemplate())
-	if err != nil {
-		t.Fatalf("error creating AEAD key handle: %v", err)
-	}
-	a, err := aead.New(aeskh)
-	if err != nil {
-		t.Fatalf("error creating AEAD key: %v", err)
-	}
-	kh, err := keyset.NewHandle(signature.ECDSAP256KeyTemplate())
-	if err != nil {
-		t.Fatalf("error creating ECDSA key handle: %v", err)
-	}
-	khsigner, err := KeyHandleToSigner(kh)
-	if err != nil {
-		t.Fatalf("error converting ECDSA key handle to signer: %v", err)
+	type testcase struct {
+		keyTemplate      *tink_go_proto.KeyTemplate
+		expectedHashFunc crypto.Hash
 	}
 
-	dir := t.TempDir()
-	keysetPath := filepath.Join(dir, "keyset.json.enc")
-	f, err := os.Create(keysetPath)
-	if err != nil {
-		t.Fatalf("error creating file: %v", err)
-	}
-	defer f.Close()
-	jsonWriter := keyset.NewJSONWriter(f)
-	if err := kh.Write(jsonWriter, a); err != nil {
-		t.Fatalf("error writing enc keyset: %v", err)
+	supportedKeyTypes := []testcase{
+		{
+			keyTemplate:      signature.ECDSAP256KeyWithoutPrefixTemplate(),
+			expectedHashFunc: crypto.SHA256,
+		},
+		{
+			keyTemplate:      signature.ECDSAP384KeyWithoutPrefixTemplate(),
+			expectedHashFunc: crypto.SHA512,
+		},
+		{
+			keyTemplate:      signature.ECDSAP521KeyWithoutPrefixTemplate(),
+			expectedHashFunc: crypto.SHA512,
+		},
 	}
 
-	signer, err := NewTinkSigner(context.TODO(), keysetPath, a)
-	if err != nil {
-		t.Fatalf("unexpected error creating Tink signer: %v", err)
-	}
+	for _, kt := range supportedKeyTypes {
+		aeskh, err := keyset.NewHandle(aead.AES256GCMKeyTemplate())
+		if err != nil {
+			t.Fatalf("error creating AEAD key handle: %v", err)
+		}
+		a, err := aead.New(aeskh)
+		if err != nil {
+			t.Fatalf("error creating AEAD key: %v", err)
+		}
+		kh, err := keyset.NewHandle(kt.keyTemplate)
+		if err != nil {
+			t.Fatalf("error creating ECDSA key handle: %v", err)
+		}
+		khsigner, _, err := KeyHandleToSigner(kh)
+		if err != nil {
+			t.Fatalf("error converting ECDSA key handle to signer: %v", err)
+		}
 
-	// Expect signer and key handle's public keys match
-	if err := cryptoutils.EqualKeys(signer.Public(), khsigner.Public()); err != nil {
-		t.Fatalf("keys of signer and key handle do not match: %v", err)
-	}
+		dir := t.TempDir()
+		keysetPath := filepath.Join(dir, "keyset.json.enc")
+		f, err := os.Create(keysetPath)
+		if err != nil {
+			t.Fatalf("error creating file: %v", err)
+		}
+		defer f.Close()
+		jsonWriter := keyset.NewJSONWriter(f)
+		if err := kh.Write(jsonWriter, a); err != nil {
+			t.Fatalf("error writing enc keyset: %v", err)
+		}
 
-	// Failure: Unable to decrypt keyset
-	aeskh1, err := keyset.NewHandle(aead.AES256GCMKeyTemplate())
-	if err != nil {
-		t.Fatalf("error creating AEAD key handle: %v", err)
-	}
-	a1, err := aead.New(aeskh1)
-	if err != nil {
-		t.Fatalf("error creating AEAD key: %v", err)
-	}
-	_, err = NewTinkSigner(context.TODO(), keysetPath, a1)
-	if err == nil || !strings.Contains(err.Error(), "decryption failed") {
-		t.Fatalf("expected error decrypting keyset, got %v", err)
+		signer, err := NewTinkSigner(context.TODO(), keysetPath, a)
+		if err != nil {
+			t.Fatalf("unexpected error creating Tink signer: %v", err)
+		}
+
+		if signer.HashFunc() != kt.expectedHashFunc {
+			t.Fatalf("unexpected hash function: %v", signer.HashFunc())
+		}
+
+		// Expect signer and key handle's public keys match
+		if err := cryptoutils.EqualKeys(signer.Public(), khsigner.Public()); err != nil {
+			t.Fatalf("keys of signer and key handle do not match: %v", err)
+		}
+
+		// Failure: Unable to decrypt keyset
+		aeskh1, err := keyset.NewHandle(aead.AES256GCMKeyTemplate())
+		if err != nil {
+			t.Fatalf("error creating AEAD key handle: %v", err)
+		}
+		a1, err := aead.New(aeskh1)
+		if err != nil {
+			t.Fatalf("error creating AEAD key: %v", err)
+		}
+		_, err = NewTinkSigner(context.TODO(), keysetPath, a1)
+		if err == nil || !strings.Contains(err.Error(), "decryption failed") {
+			t.Fatalf("expected error decrypting keyset, got %v", err)
+		}
 	}
 }
 
 func TestKeyHandleToSignerECDSA(t *testing.T) {
-	supportedKeyTypes := []TestStruct{
+	type testcase struct {
+		keyTemplate *tink_go_proto.KeyTemplate
+		h           hash.Hash
+	}
+
+	supportedKeyTypes := []testcase{
 		{
 			keyTemplate: signature.ECDSAP256KeyWithoutPrefixTemplate(),
 			h:           sha256.New(),
@@ -116,10 +143,11 @@ func TestKeyHandleToSignerECDSA(t *testing.T) {
 			t.Fatalf("error creating ECDSA key handle: %v", err)
 		}
 		// convert to crypto.Signer interface
-		signer, err := KeyHandleToSigner(kh)
+		signer, _, err := KeyHandleToSigner(kh)
 		if err != nil {
 			t.Fatalf("error converting ECDSA key handle to signer: %v", err)
 		}
+
 		msg := []byte("hello there")
 
 		// sign with key handle, verify with signer public key
@@ -162,7 +190,7 @@ func TestKeyHandleToSignerED25519(t *testing.T) {
 		t.Fatalf("error creating ED25519 key handle: %v", err)
 	}
 	// convert to crypto.Signer interface
-	signer, err := KeyHandleToSigner(kh)
+	signer, _, err := KeyHandleToSigner(kh)
 	if err != nil {
 		t.Fatalf("error converting ED25519 key handle to signer: %v", err)
 	}
@@ -198,3 +226,44 @@ func TestKeyHandleToSignerED25519(t *testing.T) {
 		t.Fatalf("error verifying with tink verifier: %v", err)
 	}
 }
+
+func TestKeyHandleToSigner(t *testing.T) {
+	type testcase struct {
+		keyTemplate      *tink_go_proto.KeyTemplate
+		expectedHashName string
+	}
+
+	supportedKeyTypes := []testcase{
+		{
+			keyTemplate:      signature.ECDSAP256KeyWithoutPrefixTemplate(),
+			expectedHashName: "SHA256",
+		},
+		{
+			keyTemplate:      signature.ECDSAP384KeyWithoutPrefixTemplate(),
+			expectedHashName: "SHA512",
+		},
+		{
+			keyTemplate:      signature.ECDSAP521KeyWithoutPrefixTemplate(),
+			expectedHashName: "SHA512",
+		},
+	}
+	for _, kt := range supportedKeyTypes {
+		kh, err := keyset.NewHandle(kt.keyTemplate)
+		if err != nil {
+			t.Fatalf("error creating ECDSA key handle: %v", err)
+		}
+
+		signer, hashName, err := KeyHandleToSigner(kh)
+		if err != nil {
+			t.Fatalf("error creating signer from ECDSA key template: %v", err)
+		}
+
+		if signer == nil {
+			t.Fatalf("expected signer to be non-nil")
+		}
+
+		if hashName != kt.expectedHashName {
+			t.Fatalf("expected hash name %s, got %s", kt.expectedHashName, hashName)
+		}
+	}
+}