diff --git a/configure.ac b/configure.ac
index 82d96e187..c7f205ff8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1278,22 +1278,6 @@ fi
 AM_CONDITIONAL(ENABLE_GUARDTIME, test x$enable_guardtime = xyes)
 
 
-# GuardTime KSI support
-AC_ARG_ENABLE(gt-ksi,
-        [AS_HELP_STRING([--enable-gt-ksi],[Enable log file signing support via GuardTime KSI @<:@default=no@:>@])],
-        [case "${enableval}" in
-         yes) enable_gt_ksi="yes" ;;
-          no) enable_gt_ksi="no" ;;
-           *) AC_MSG_ERROR(bad value ${enableval} for --enable-gt-ksi) ;;
-         esac],
-        [enable_gt_ksi=no]
-)
-if test "x$enable_gt_ksi" = "xyes"; then
-	PKG_CHECK_MODULES(GT_KSI, libksi >= 3.4.0.2)
-	PKG_CHECK_MODULES(GT_KSI, libksi < 3.5.0.0)
-fi
-AM_CONDITIONAL(ENABLE_GT_KSI, test x$enable_gt_ksi = xyes)
-
 
 # GuardTime KSI LOGSIG 12 support
 AC_ARG_ENABLE(ksi-ls12,
@@ -2135,7 +2119,6 @@ echo "    have to generate man pages:               $have_to_generate_man_pages"
 echo "    Unlimited select() support enabled:       $enable_unlimited_select"
 echo "    uuid support enabled:                     $enable_uuid"
 echo "    Log file signing support:                 $enable_guardtime"
-echo "    Log file signing support via KSI:         $enable_gt_ksi"
 echo "    Log file signing support via KSI LS12:    $enable_ksi_ls12"
 echo "    Log file encryption support:              $enable_libgcrypt"
 echo "    anonymization support enabled:            $enable_mmanon"
diff --git a/runtime/Makefile.am b/runtime/Makefile.am
index d03da8b7c..cc9edac52 100644
--- a/runtime/Makefile.am
+++ b/runtime/Makefile.am
@@ -251,21 +251,6 @@ lmtcpclt_la_LDFLAGS = -module -avoid-version $(LIBLOGGING_STDLOG_LIBS)
 lmtcpclt_la_LIBADD = 
 
 
-
-#
-# support library for guardtime KSI
-#
-if ENABLE_GT_KSI
-   noinst_LTLIBRARIES +=  librsksi.la
-   librsksi_la_SOURCES = librsksi.c librsksi_read.c librsksi.h librsgt_common.h
-   librsksi_la_CPPFLAGS =  $(RSRT_CFLAGS) $(GT_KSI_CFLAGS)
-   pkglib_LTLIBRARIES += lmsig_ksi.la
-   lmsig_ksi_la_SOURCES = lmsig_ksi.c lmsig_ksi.h
-   lmsig_ksi_la_CPPFLAGS = $(RSRT_CFLAGS) $(GT_KSI_CFLAGS)
-   lmsig_ksi_la_LDFLAGS = -module -avoid-version
-   lmsig_ksi_la_LIBADD = librsksi.la $(GT_KSI_LIBS)
-endif
-
 #
 # support library for Guardtime KSI-LS12
 #
diff --git a/runtime/librsksi.c b/runtime/librsksi.c
deleted file mode 100644
index 6740bfa9d..000000000
--- a/runtime/librsksi.c
+++ /dev/null
@@ -1,1178 +0,0 @@
-/* librsksi.c - rsyslog's KSI support library
- *
- * Regarding the online algorithm for Merkle tree signing. Expected 
- * calling sequence is:
- *
- * sigblkConstruct
- * for each signature block:
- *    sigblkInitKSI
- *    for each record:
- *       sigblkAddRecordKSI
- *    sigblkFinishKSI
- * sigblkDestruct
- *
- * Obviously, the next call after sigblkFinsh must either be to 
- * sigblkInitKSI or sigblkDestruct (if no more signature blocks are
- * to be emitted, e.g. on file close). sigblkDestruct saves state
- * information (most importantly last block hash) and sigblkConstruct
- * reads (or initilizes if not present) it.
- *
- * Copyright 2013-2016 Adiscon GmbH.
- *
- * This file is part of rsyslog.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *       http://www.apache.org/licenses/LICENSE-2.0
- *       -or-
- *       see COPYING.ASL20 in the source distribution
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-#include <stdlib.h>
-#include <stdio.h>
-#include <errno.h>
-#include <string.h>
-#include <stdint.h>
-#include <assert.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <stdarg.h>
-#define MAXFNAME 1024
-
-#include <ksi/ksi.h>
-#include "librsgt_common.h"
-#include "librsksi.h"
-
-typedef unsigned char uchar;
-#ifndef VERSION
-#define VERSION "no-version"
-#endif
-
-int RSKSI_FLAG_TLV16_RUNTIME = RSGT_FLAG_TLV16;
-int RSKSI_FLAG_NONCRIT_RUNTIME = RSGT_FLAG_NONCRIT; 
-
-/* the following function maps RSGTE_* state to a string - must be updated
- * whenever a new state is added.
- * Note: it is thread-safe to call this function, as it returns a pointer
- * into constant memory pool.
- */
-const char *
-RSKSIE2String(int err)
-{
-	switch(err) {
-	case RSGTE_SUCCESS:
-		return "success";
-	case RSGTE_IO:
-		return "i/o error";
-	case RSGTE_FMT:
-		return "data format error";
-	case RSGTE_INVLTYP:
-		return "invalid/unexpected tlv record type";
-	case RSGTE_OOM:
-		return "out of memory";
-	case RSGTE_LEN:
-		return "length record problem";
-	case RSGTE_SIG_EXTEND:
-		return "error extending signature";
-	case RSGTE_INVLD_RECCNT:
-		return "mismatch between actual record count and number in block signature record";
-	case RSGTE_INVLHDR:
-		return "invalid file header";
-	case RSGTE_EOF:
-		return "EOF";
-	case RSGTE_MISS_REC_HASH:
-		return "record hash missing";
-	case RSGTE_MISS_TREE_HASH:
-		return "tree hash missing";
-	case RSGTE_INVLD_REC_HASH:
-		return "record hash mismatch";
-	case RSGTE_INVLD_TREE_HASH:
-		return "tree hash mismatch";
-	case RSGTE_INVLD_REC_HASHID:
-		return "invalid record hash ID";
-	case RSGTE_INVLD_TREE_HASHID:
-		return "invalid tree hash ID";
-	case RSGTE_MISS_BLOCKSIG:
-		return "missing block signature record";
-	case RSGTE_INVLD_SIGNATURE:
-		return "Signature invalid";
-	case RSGTE_TS_CREATEHASH:
-		return "error creating HASH";
-	case RSGTE_TS_DERENCODE:
-		return "error DER-encoding RFC3161 timestamp";
-	case RSGTE_HASH_CREATE:
-		return "error creating hash";
-	case RSGTE_END_OF_SIG:
-		return "unexpected end of signature";
-	case RSGTE_END_OF_LOG:
-		return "unexpected end of log";
-	case RSGTE_EXTRACT_HASH:
-		return "either record-hash, left-hash or right-hash was empty";
-	case RSGTE_MISS_KSISIG:
-		return "KSI signature missing";
-	default:
-		return "unknown error";
-	}
-}
-
-uint16_t
-hashOutputLengthOctetsKSI(uint8_t hashID)
-{
-	switch(hashID) {
-	case KSI_HASHALG_SHA1: /** The SHA-1 algorithm. */
-		return 20;
-	case KSI_HASHALG_SHA2_256: /** The SHA-256 algorithm. */
-		return 32;
-	case KSI_HASHALG_RIPEMD160: /** The RIPEMD-160 algorithm. */
-		return 20;
-	case KSI_HASHALG_SHA2_384: /** The SHA-384 algorithm. */
-		return 48;
-	case KSI_HASHALG_SHA2_512: /** The SHA-512 algorithm. */
-		return 64;
-	case KSI_HASHALG_SHA3_244: /** The SHA3-244 algorithm. */
-		return 28;
-	case KSI_HASHALG_SHA3_256: /** The SHA3-256 algorithm. */
-		return 32;
-	case KSI_HASHALG_SHA3_384: /** The SHA3-384 algorithm. */
-		return 48;
-	case KSI_HASHALG_SHA3_512: /** The SHA3-512 algorithm */
-		return 64;
-	case KSI_HASHALG_SM3: /** The SM3 algorithm.*/
-		return 32;
-	default:return 32;
-	}
-}
-
-uint8_t
-hashIdentifierKSI(KSI_HashAlgorithm hashID)
-{
-	switch(hashID) {
-	case KSI_HASHALG_SHA1: /** The SHA-1 algorithm. */
-		return 0x00;
-	case KSI_HASHALG_SHA2_256: /** The SHA-256 algorithm. */
-		return 0x01;
-	case KSI_HASHALG_RIPEMD160: /** The RIPEMD-160 algorithm. */
-		return 0x02;
-	case KSI_HASHALG_SHA2_384: /** The SHA-384 algorithm. */
-		return 0x04;
-	case KSI_HASHALG_SHA2_512: /** The SHA-512 algorithm. */
-		return 0x05;
-	case KSI_HASHALG_SHA3_244: /** The SHA3-244 algorithm. */
-		return 0x07;
-	case KSI_HASHALG_SHA3_256: /** The SHA3-256 algorithm. */
-		return 0x08;
-	case KSI_HASHALG_SHA3_384: /** The SHA3-384 algorithm. */
-		return 0x09;
-	case KSI_HASHALG_SHA3_512: /** The SHA3-512 algorithm */
-		return 0x0a;
-	case KSI_HASHALG_SM3: /** The SM3 algorithm.*/
-		return 0x0b;
-	case KSI_NUMBER_OF_KNOWN_HASHALGS: /* TODO: what is this??? */
-	default:return 0xff;
-	}
-}
-const char *
-hashAlgNameKSI(uint8_t hashID)
-{
-	switch(hashID) {
-	case KSI_HASHALG_SHA1:
-		return "SHA1";
-	case KSI_HASHALG_SHA2_256:
-		return "SHA2-256";
-	case KSI_HASHALG_RIPEMD160:
-		return "RIPEMD-160";
-	case KSI_HASHALG_SHA2_384:
-		return "SHA2-384";
-	case KSI_HASHALG_SHA2_512:
-		return "SHA2-512";
-	case KSI_HASHALG_SHA3_256:
-		return "SHA3-256";
-	case KSI_HASHALG_SHA3_384:
-		return "SHA3-384";
-	case KSI_HASHALG_SHA3_512:
-		return "SHA3-512";
-	case KSI_HASHALG_SM3:
-		return "SM3";
-	default:return "[unknown]";
-	}
-}
-KSI_HashAlgorithm
-hashID2AlgKSI(uint8_t hashID)
-{
-	switch(hashID) {
-	case 0x00:
-		return KSI_HASHALG_SHA1;
-	case 0x01:
-		return KSI_HASHALG_SHA2_256;
-	case 0x02:
-		return KSI_HASHALG_RIPEMD160;
-	case 0x04:
-		return KSI_HASHALG_SHA2_384;
-	case 0x05:
-		return KSI_HASHALG_SHA2_512;
-	case 0x07:
-		return KSI_HASHALG_SHA3_244;
-	case 0x08:
-		return KSI_HASHALG_SHA3_256;
-	case 0x09:
-		return KSI_HASHALG_SHA3_384;
-	case 0x0a:
-		return KSI_HASHALG_SHA3_512;
-	case 0x0b:
-		return KSI_HASHALG_SM3;
-	default:
-		return 0xff;
-	}
-}
-
-static void __attribute__ ((format (printf, 2, 3)))
-report(rsksictx ctx, const char *errmsg, ...) {
-	char buf[1024];
-	va_list args;
-	va_start(args, errmsg);
-
-	int r = vsnprintf(buf, sizeof (buf), errmsg, args);
-	buf[sizeof(buf)-1] = '\0';
-
-	if(ctx->logFunc == NULL)
-		return;
-
-	if(r>0 && r<(int)sizeof(buf))
-		ctx->logFunc(ctx->usrptr, (uchar*)buf);
-	else
-		ctx->logFunc(ctx->usrptr, (uchar*)errmsg);
-}
-
-static void
-reportErr(rsksictx ctx, const char *const errmsg)
-{
-	if(ctx->errFunc == NULL)
-		goto done;
-	ctx->errFunc(ctx->usrptr, (uchar*)errmsg);
-done:	return;
-}
-
-void
-reportKSIAPIErr(rsksictx ctx, ksifile ksi, const char *apiname, int ecode)
-{
-	char errbuf[4096];
-	snprintf(errbuf, sizeof(errbuf), "%s[%s:%d]: %s",
-		 (ksi == NULL) ? (uchar*)"" : ksi->sigfilename,
-		 apiname, ecode, KSI_getErrorString(ecode));
-	errbuf[sizeof(errbuf)-1] = '\0';
-	reportErr(ctx, errbuf);
-}
-
-void
-rsksisetErrFunc(rsksictx ctx, void (*func)(void*, uchar *), void *usrptr)
-{
-	ctx->usrptr = usrptr;
-	ctx->errFunc = func;
-}
-
-void
-rsksisetLogFunc(rsksictx ctx, void (*func)(void*, uchar *), void *usrptr)
-{
-	ctx->usrptr = usrptr;
-	ctx->logFunc = func;
-}
-
-int
-rsksiIntoImprintFromKSI_DataHash(imprint_t* imp, ksifile ksi, KSI_DataHash *hash)
-{
-	int r = RSGTE_SUCCESS;
-	const unsigned char *digest;
-	size_t digest_len;
-
-	KSI_HashAlgorithm hashID;
-	r = KSI_DataHash_extract(hash, &hashID, &digest, &digest_len); 
-	if (r != KSI_OK){
-		reportKSIAPIErr(ksi->ctx, ksi, "KSI_DataHash_extract", r);
-		r = RSGTE_IO; 
-		goto done;
-	}
-
-	imp->hashID = hashID;
-	imp->len = digest_len;
-	if((imp->data = (uint8_t*)malloc(imp->len)) == NULL) {
-		r = RSGTE_OOM; 
-		goto done;
-	}
-	memcpy(imp->data, digest, digest_len);
-done:	
-	return r;
-}
-
-
-imprint_t *
-rsksiImprintFromKSI_DataHash(ksifile ksi, KSI_DataHash *hash)
-{
-	int r;
-	imprint_t *imp;
-
-	if((imp = calloc(1, sizeof(imprint_t))) == NULL) {
-		goto done;
-	}
-
-	r = rsksiIntoImprintFromKSI_DataHash(imp, ksi, hash); 
-	if (r != RSGTE_SUCCESS) {
-		free(imp); 
-		imp = NULL; 
-		goto done;
-	}
-done:	
-	return imp;
-}
-
-void
-rsksiimprintDel(imprint_t *imp)
-{
-	if(imp != NULL) {
-		free(imp->data),
-		free(imp);
-	}
-}
-
-int
-rsksiInit(__attribute__((unused)) char *usragent)
-{
-	return 0;
-}
-
-void
-rsksiExit(void)
-{
-	return; 
-}
-
-static ksifile
-rsksifileConstruct(rsksictx ctx)
-{
-	ksifile ksi = NULL;
-	if((ksi = calloc(1, sizeof(struct ksifile_s))) == NULL)
-		goto done;
-	ksi->ctx = ctx;
-	ksi->hashAlg = ctx->hashAlg;
-	ksi->blockSizeLimit = ctx->blockSizeLimit;
-	ksi->bKeepRecordHashes = ctx->bKeepRecordHashes;
-	ksi->bKeepTreeHashes = ctx->bKeepTreeHashes;
-	ksi->x_prev = NULL;
-
-done:	return ksi;
-}
-
-static size_t 
-tlvbufPhysWrite(ksifile ksi)
-{
-	ssize_t lenBuf;
-	ssize_t iTotalWritten;
-	ssize_t iWritten;
-	char *pWriteBuf;
-	size_t r = 0;
-
-	lenBuf = ksi->tlvIdx;
-	pWriteBuf = ksi->tlvBuf;
-	iTotalWritten = 0;
-	do {
-		iWritten = write(ksi->fd, pWriteBuf, lenBuf);
-		if(iWritten < 0) {
-			iWritten = 0; /* we have written NO bytes! */
-			if(errno == EINTR) {
-				/*NO ERROR, just continue */;
-			} else {
-				reportErr(ksi->ctx, "signature file write error");
-				r = RSGTE_IO;
-				goto finalize_it;
-			}
-	 	} 
-		/* advance buffer to next write position */
-		iTotalWritten += iWritten;
-		lenBuf -= iWritten;
-		pWriteBuf += iWritten;
-	} while(lenBuf > 0);	/* Warning: do..while()! */
-
-finalize_it:
-	ksi->tlvIdx = 0;
-	return r;
-}
-
-static size_t 
-tlvbufChkWrite(ksifile ksi)
-{
-	if(ksi->tlvIdx == sizeof(ksi->tlvBuf)) {
-		return tlvbufPhysWrite(ksi);
-	}
-	return 0;
-}
-
-
-/* write to TLV file buffer. If buffer is full, an actual call occurs. Else
- * output is written only on flush or close.
- */
-static size_t
-tlvbufAddOctet(ksifile ksi, int8_t octet)
-{
-	size_t r;
-	r = tlvbufChkWrite(ksi);
-	if(r != 0) goto done;
-	ksi->tlvBuf[ksi->tlvIdx++] = octet;
-done:	return r;
-}
-static size_t 
-tlvbufAddOctetString(ksifile ksi, uint8_t *octet, size_t size)
-{
-	size_t i, r = 0;
-	for(i = 0 ; i < size ; ++i) {
-		r = tlvbufAddOctet(ksi, octet[i]);
-		if(r != 0) goto done;
-	}
-done:	return r;
-}
-/* return the actual length in to-be-written octets of an integer */
-static uint8_t
-tlvbufGetInt64OctetSize(uint64_t val)
-{
-	if(val >> 56)
-		return 8;
-	if((val >> 48) & 0xff)
-		return 7;
-	if((val >> 40) & 0xff)
-		return 6;
-	if((val >> 32) & 0xff)
-		return 5;
-	if((val >> 24) & 0xff)
-		return 4;
-	if((val >> 16) & 0xff)
-		return 3;
-	if((val >> 8) & 0xff)
-		return 2;
-	return 1;
-}
-static int
-tlvbufAddInt64(ksifile ksi, uint64_t val)
-{
-	uint8_t doWrite = 0;
-	int r;
-	if(val >> 56) {
-		r = tlvbufAddOctet(ksi, (val >> 56) & 0xff), doWrite = 1;
-		if(r != 0) goto done;
-	}
-	if(doWrite || ((val >> 48) & 0xff)) {
-		r = tlvbufAddOctet(ksi, (val >> 48) & 0xff), doWrite = 1;
-		if(r != 0) goto done;
-	}
-	if(doWrite || ((val >> 40) & 0xff)) {
-		r = tlvbufAddOctet(ksi, (val >> 40) & 0xff), doWrite = 1;
-		if(r != 0) goto done;
-	}
-	if(doWrite || ((val >> 32) & 0xff)) {
-		r = tlvbufAddOctet(ksi, (val >> 32) & 0xff), doWrite = 1;
-		if(r != 0) goto done;
-	}
-	if(doWrite || ((val >> 24) & 0xff)) {
-		r = tlvbufAddOctet(ksi, (val >> 24) & 0xff), doWrite = 1;
-		if(r != 0) goto done;
-	}
-	if(doWrite || ((val >> 16) & 0xff)) {
-		r = tlvbufAddOctet(ksi, (val >> 16) & 0xff), doWrite = 1;
-		if(r != 0) goto done;
-	}
-	if(doWrite || ((val >> 8) & 0xff)) {
-		r = tlvbufAddOctet(ksi, (val >>  8) & 0xff), doWrite = 1;
-		if(r != 0) goto done;
-	}
-	r = tlvbufAddOctet(ksi, val & 0xff);
-done:	return r;
-}
-
-
-static int
-tlv8WriteKSI(ksifile ksi, int flags, int tlvtype, int len)
-{
-	int r;
-	assert((flags & RSGT_TYPE_MASK) == 0);
-	assert((tlvtype & RSGT_TYPE_MASK) == tlvtype);
-	r = tlvbufAddOctet(ksi, (flags & ~RSKSI_FLAG_TLV16_RUNTIME) | tlvtype);
-	if(r != 0) goto done;
-	r = tlvbufAddOctet(ksi, len & 0xff);
-done:	return r;
-} 
-
-static int
-tlv16WriteKSI(ksifile ksi, int flags, int tlvtype, uint16_t len)
-{
-	uint16_t typ;
-	int r;
-	assert((flags & RSGT_TYPE_MASK) == 0);
-	assert((tlvtype >> 8 & RSGT_TYPE_MASK) == (tlvtype >> 8));
-	typ = ((flags | RSKSI_FLAG_TLV16_RUNTIME) << 8) | tlvtype;
-	r = tlvbufAddOctet(ksi, typ >> 8);
-	if(r != 0) goto done;
-	r = tlvbufAddOctet(ksi, typ & 0xff);
-	if(r != 0) goto done;
-	r = tlvbufAddOctet(ksi, (len >> 8) & 0xff);
-	if(r != 0) goto done;
-	r = tlvbufAddOctet(ksi, len & 0xff);
-done:	return r;
-} 
-
-static int
-tlvFlushKSI(ksifile ksi)
-{
-	return (ksi->tlvIdx == 0) ? 0 : tlvbufPhysWrite(ksi);
-}
-
-static int
-tlvWriteHashKSI(ksifile ksi, uint16_t tlvtype, KSI_DataHash *rec)
-{
-	unsigned tlvlen;
-	int r;
-	const unsigned char *digest;
-	size_t digest_len;
-	r = KSI_DataHash_extract(rec, NULL, &digest, &digest_len); 
-	if (r != KSI_OK){
-		reportKSIAPIErr(ksi->ctx, ksi, "KSI_DataHash_extract", r);
-		goto done;
-	}
-	tlvlen = 1 + digest_len;
-	r = tlv16WriteKSI(ksi, 0x00, tlvtype, tlvlen);
-	if(r != 0) goto done;
-	r = tlvbufAddOctet(ksi, hashIdentifierKSI(ksi->hashAlg));
-	if(r != 0) goto done;
-	r = tlvbufAddOctetString(ksi, (unsigned char*)digest, digest_len);
-done:	return r;
-}
-
-static int
-tlvWriteBlockHdrKSI(ksifile ksi) {
-	unsigned tlvlen;
-	int r;
-	tlvlen  = 2 + 1 /* hash algo TLV */ +
-	 	  2 + hashOutputLengthOctetsKSI(ksi->hashAlg) /* iv */ +
-		  2 + 1 + ksi->x_prev->len /* last hash */;
-	/* write top-level TLV object block-hdr */
-	CHKr(tlv16WriteKSI(ksi, 0x00, 0x0901, tlvlen));
-	/* and now write the children */
-	/* hash-algo */
-	CHKr(tlv8WriteKSI(ksi, 0x00, 0x01, 1));
-	CHKr(tlvbufAddOctet(ksi, hashIdentifierKSI(ksi->hashAlg)));
-	/* block-iv */
-	CHKr(tlv8WriteKSI(ksi, 0x00, 0x02, hashOutputLengthOctetsKSI(ksi->hashAlg)));
-	CHKr(tlvbufAddOctetString(ksi, ksi->IV, hashOutputLengthOctetsKSI(ksi->hashAlg)));
-	/* last-hash */
-	CHKr(tlv8WriteKSI(ksi, 0x00, 0x03, ksi->x_prev->len + 1));
-	CHKr(tlvbufAddOctet(ksi, ksi->x_prev->hashID));
-	CHKr(tlvbufAddOctetString(ksi, ksi->x_prev->data, ksi->x_prev->len));
-done:	return r;
-}
-
-static int
-tlvWriteBlockSigKSI(ksifile ksi, uchar *der, uint16_t lenDer)
-{
-	unsigned tlvlen;
-	uint8_t tlvlenRecords;
-	int r;
-
-	tlvlenRecords = tlvbufGetInt64OctetSize(ksi->nRecords);
-	tlvlen  = 2 + tlvlenRecords /* rec-count */ +
-		  4 + lenDer /* rfc-3161 */;
-	/* write top-level TLV object (block-sig */
-	r = tlv16WriteKSI(ksi, 0x00, 0x0904, tlvlen);
-	if(r != 0) goto done;
-	/* and now write the children */
-	//FIXME: flags???
-	/* rec-count */
-	r = tlv8WriteKSI(ksi, 0x00, 0x01, tlvlenRecords);
-	if(r != 0) goto done;
-	r = tlvbufAddInt64(ksi, ksi->nRecords);
-	if(r != 0) goto done;
-	/* Open-KSI signature */
-	r = tlv16WriteKSI(ksi, 0x00, 0x0905, lenDer);
-	if(r != 0) goto done;
-	r = tlvbufAddOctetString(ksi, der, lenDer);
-done:	return r;
-}
-
-
-
-/* support for old platforms - graceful degrade */
-#ifndef O_CLOEXEC
-#define O_CLOEXEC 0
-#endif
-/* read rsyslog log state file; if we cannot access it or the
- * contents looks invalid, we flag it as non-present (and thus
- * begin a new hash chain).
- * The context is initialized accordingly.
- */
-static void
-readStateFile(ksifile ksi)
-{
-	int fd;
-	struct rsksistatefile sf;
-
-	fd = open((char*)ksi->statefilename, O_RDONLY|O_NOCTTY|O_CLOEXEC, 0600);
-	if(fd == -1) goto err;
-
-	if(read(fd, &sf, sizeof(sf)) != sizeof(sf)) goto err;
-	if(strncmp(sf.hdr, "KSISTAT10", 9)) goto err;
-
-	ksi->x_prev = malloc(sizeof(imprint_t));
-	if (ksi->x_prev == NULL) goto err;
-	ksi->x_prev->len = sf.lenHash;
-	ksi->x_prev->hashID = sf.hashID;
-	ksi->x_prev->data = calloc(1, ksi->x_prev->len);
-	if (ksi->x_prev->data == NULL) {
-		free(ksi->x_prev);
-		ksi->x_prev = NULL;
-		goto err;
-	}
-
-	if(read(fd, ksi->x_prev->data, ksi->x_prev->len)
-		!= (ssize_t) ksi->x_prev->len) {
-		rsksiimprintDel(ksi->x_prev);
-		ksi->x_prev = NULL;
-		goto err;
-	}
-	close(fd);
-return;
-
-err:
-	ksi->x_prev = malloc(sizeof(imprint_t));
-	ksi->x_prev->hashID = hashIdentifierKSI(ksi->hashAlg);
-	ksi->x_prev->len = hashOutputLengthOctetsKSI(ksi->hashAlg);
-	ksi->x_prev->data = calloc(1, ksi->x_prev->len);
-}
-
-/* persist all information that we need to re-open and append
- * to a log signature file.
- */
-static void
-writeStateFile(ksifile ksi)
-{
-	int fd;
-	struct rsksistatefile sf;
-
-	fd = open((char*)ksi->statefilename,
-		       O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY|O_CLOEXEC, ksi->ctx->fCreateMode);
-	if(fd == -1)
-		goto done;
-	if (ksi->ctx->fileUID != (uid_t) - 1 || ksi->ctx->fileGID != (gid_t) - 1) {
-		/* we need to set owner/group */
-		if (fchown(fd, ksi->ctx->fileUID, ksi->ctx->fileGID) != 0) {
-			report(ksi->ctx, "lmsig_ksi: chown for file '%s' failed: %s",
-				ksi->statefilename, strerror(errno));
-		}
-	}
-
-	memcpy(sf.hdr, "KSISTAT10", 9);
-	sf.hashID = hashIdentifierKSI(ksi->hashAlg);
-	sf.lenHash = ksi->x_prev->len;
-	/* if the write fails, we cannot do anything against that. We check
-	 * the condition just to keep the compiler happy.
-	 */
-	if(write(fd, &sf, sizeof(sf))){};
-	if(write(fd, ksi->x_prev->data, ksi->x_prev->len)){};
-	close(fd);
-done:	return;
-}
-
-
-static int
-tlvCloseKSI(ksifile ksi)
-{
-	int r;
-	r = tlvFlushKSI(ksi);
-	close(ksi->fd);
-	ksi->fd = -1;
-	writeStateFile(ksi);
-	return r;
-}
-
-
-/* note: if file exists, the last hash for chaining must
- * be read from file.
- */
-static int
-tlvOpenKSI(ksifile ksi, const char *const hdr, unsigned lenHdr)
-{
-	int r = 0;
-	struct stat stat_st;
-
-	ksi->fd = open((char*)ksi->sigfilename,
-		       O_WRONLY|O_APPEND|O_NOCTTY|O_CLOEXEC, 0600);
-	if(ksi->fd == -1) {
-		/* looks like we need to create a new file */
-		ksi->fd = open((char*)ksi->sigfilename,
-			       O_WRONLY|O_CREAT|O_NOCTTY|O_CLOEXEC, ksi->ctx->fCreateMode);
-		if(ksi->fd == -1) {
-			r = RSGTE_IO;
-			goto done;
-		}
-
-		/* check and set uid/gid */
-		if (ksi->ctx->fileUID != (uid_t) - 1 || ksi->ctx->fileGID != (gid_t) - 1) {
-			/* we need to set owner/group */
-			if (fchown(ksi->fd, ksi->ctx->fileUID, ksi->ctx->fileGID) != 0) {
-				report(ksi->ctx, "lmsig_ksi: chown for file '%s' failed: %s",
-					ksi->sigfilename, strerror(errno));
-			}
-		}
-
-		/* Write fileHeader */
-		memcpy(ksi->tlvBuf, hdr, lenHdr);
-		ksi->tlvIdx = lenHdr;
-	} else {
-		/* Get FileSize from existing ksisigfile */
-		if(fstat(ksi->fd, &stat_st) == -1) {
-			reportErr(ksi->ctx, "tlvOpenKSI: can not stat file");
-			r = RSGTE_IO;
-			goto done;
-		}
-
-		/* Check if size is above header length. */
-		if(stat_st.st_size > 0) {
-			/* header already present! */
-			ksi->tlvIdx = 0;
-		} else {
-			/* Write fileHeader */
-			memcpy(ksi->tlvBuf, hdr, lenHdr);
-			ksi->tlvIdx = lenHdr;
-		}
-	}
-	/* we now need to obtain the last previous hash, so that
-	 * we can continue the hash chain. We do not check for error
-	 * as a state file error can be recovered by graceful degredation.
-	 */
-	readStateFile(ksi);
-done:	return r;
-}
-
-/*
- * As of some Linux and security expert I spoke to, /dev/urandom
- * provides very strong random numbers, even if it runs out of
- * entropy. As far as he knew, this is save for all applications
- * (and he had good proof that I currently am not permitted to
- * reproduce). -- rgerhards, 2013-03-04
- */
-static void
-seedIVKSI(ksifile ksi)
-{
-	int hashlen;
-	int fd;
-
-	hashlen = hashOutputLengthOctetsKSI(ksi->hashAlg);
-	ksi->IV = malloc(hashlen); /* do NOT zero-out! */
-	/* if we cannot obtain data from /dev/urandom, we use whatever
-	 * is present at the current memory location as random data. Of
-	 * course, this is very weak and we should consider a different
-	 * option, especially when not running under Linux (for Linux,
-	 * unavailability of /dev/urandom is just a theoretic thing, it
-	 * will always work...).  -- TODO -- rgerhards, 2013-03-06
-	 */
-	if((fd = open("/dev/urandom", O_RDONLY)) > 0) {
-		if(read(fd, ksi->IV, hashlen)) {}; /* keep compiler happy */
-		close(fd);
-	}
-}
-
-rsksictx
-rsksiCtxNew(void)
-{
-	rsksictx ctx;
-	ctx = calloc(1, sizeof(struct rsksictx_s));
-	KSI_CTX_new(&ctx->ksi_ctx); // TODO: error check (probably via a generic macro?)
-	ctx->hashAlg = KSI_HASHALG_SHA2_256;
-	ctx->errFunc = NULL;
-	ctx->usrptr = NULL;
-	ctx->fileUID = -1;
-	ctx->fileGID = -1;
-	ctx->dirUID = -1;
-	ctx->dirGID = -1;
-	ctx->fCreateMode = 0644;
-	ctx->fDirCreateMode = 0700;
-	ctx->timestamper = strdup(
-			   "http://stamper.guardtime.net/gt-signingservice");
-	return ctx;
-}
-
-/* either returns ksifile object or NULL if something went wrong */
-ksifile
-rsksiCtxOpenFile(rsksictx ctx, unsigned char *logfn)
-{
-	ksifile ksi;
-	char fn[MAXFNAME+1];
-
-	if((ksi = rsksifileConstruct(ctx)) == NULL)
-		goto done;
-
-	snprintf(fn, sizeof(fn), "%s.ksisig", logfn);
-	fn[MAXFNAME] = '\0'; /* be on save side */
-	ksi->sigfilename = (uchar*) strdup(fn);
-	snprintf(fn, sizeof(fn), "%s.ksistate", logfn);
-	fn[MAXFNAME] = '\0'; /* be on save side */
-	ksi->statefilename = (uchar*) strdup(fn);
-	if(tlvOpenKSI(ksi, LOGSIGHDR, sizeof(LOGSIGHDR)-1) != 0) {
-		reportErr(ctx, "signature file open failed");
-		/* Free memory */
-		free(ksi);
-		ksi = NULL;
-	}
-done:	return ksi;
-}
- 
-
-/* returns 0 on succes, 1 if algo is unknown, 2 is algo has been remove
- * because it is now considered insecure
- */
-int
-rsksiSetHashFunction(rsksictx ctx, char *algName)
-{
-	int r = 0;
-	if(!strcmp(algName, "SHA1"))
-		ctx->hashAlg = KSI_HASHALG_SHA1;
-	else if(!strcmp(algName, "SHA2-256"))
-		ctx->hashAlg = KSI_HASHALG_SHA2_256;
-	else if(!strcmp(algName, "RIPEMD-160"))
-		ctx->hashAlg = KSI_HASHALG_RIPEMD160;
-	else if(!strcmp(algName, "SHA2-384"))
-		ctx->hashAlg = KSI_HASHALG_SHA2_384;
-	else if(!strcmp(algName, "SHA2-512"))
-		ctx->hashAlg = KSI_HASHALG_SHA2_512;
-	else if(!strcmp(algName, "SHA3-244"))
-		ctx->hashAlg = KSI_HASHALG_SHA3_244;
-	else if(!strcmp(algName, "SHA3-256"))
-		ctx->hashAlg = KSI_HASHALG_SHA3_256;
-	else if(!strcmp(algName, "SHA3-384"))
-		ctx->hashAlg = KSI_HASHALG_SHA3_384;
-	else if(!strcmp(algName, "SHA3-512"))
-		ctx->hashAlg = KSI_HASHALG_SHA3_512;
-	else if(!strcmp(algName, "SM3"))
-		ctx->hashAlg = KSI_HASHALG_SM3;
-	else if(!strcmp(algName, "SHA2-224"))
-		r = 2;
-	else
-		r = 1;
-	return r;
-}
-
-int
-rsksifileDestruct(ksifile ksi)
-{
-	int r = 0;
-	if(ksi == NULL)
-		goto done;
-
-	if(!ksi->disabled && ksi->bInBlk) {
-		r = sigblkFinishKSI(ksi);
-	}
-	if(!ksi->disabled)
-		r = tlvCloseKSI(ksi);
-	free(ksi->sigfilename);
-	free(ksi->statefilename);
-	free(ksi->IV);
-	rsksiimprintDel(ksi->x_prev);
-	free(ksi);
-done:	return r;
-}
-
-void
-rsksiCtxDel(rsksictx ctx)
-{
-	if(ctx != NULL) {
-		free(ctx->timestamper);
-		KSI_CTX_free(ctx->ksi_ctx);
-		free(ctx);
-	}
-}
-
-/* new sigblk is initialized, but maybe in existing ctx */
-void
-sigblkInitKSI(ksifile ksi)
-{
-	if(ksi == NULL) goto done;
-	seedIVKSI(ksi);
-	memset(ksi->roots_valid, 0, sizeof(ksi->roots_valid));
-	ksi->nRoots = 0;
-	ksi->nRecords = 0;
-	ksi->bInBlk = 1;
-
-	report(ksi->ctx, "Started new block for signing, signature file %s, block count %lu", ksi->sigfilename,
-	ksi->blockSizeLimit);
-
-done:	return;
-}
-
-
-/* concat: add IV to buffer */
-static void
-bufAddIV(ksifile ksi, uchar *buf, size_t *len)
-{
-	int hashlen;
-
-	hashlen = hashOutputLengthOctetsKSI(ksi->hashAlg);
-
-	memcpy(buf+*len, ksi->IV, hashlen);
-	*len += hashlen;
-}
-
-
-/* concat: add imprint to buffer */
-static void
-bufAddImprint(uchar *buf, size_t *len, imprint_t *imp)
-{
-	buf[*len] = imp->hashID;
-	++(*len);
-	memcpy(buf+*len, imp->data, imp->len);
-	*len += imp->len;
-}
-
-/* concat: add hash to buffer */
-static void
-bufAddHash(ksifile ksi, uchar *buf, size_t *len, KSI_DataHash *hash)
-{
-	int r; 
-	const unsigned char *digest;
-	size_t digest_len;
-	r = KSI_DataHash_extract(hash, NULL, &digest, &digest_len); // TODO: error check
-	if (r != KSI_OK){
-		reportKSIAPIErr(ksi->ctx, ksi, "KSI_DataHash_extract", r);
-		goto done;
-	}
-	buf[*len] = hashIdentifierKSI(ksi->hashAlg);
-	++(*len);
-	memcpy(buf+*len, digest, digest_len);
-	*len += digest_len;
-done:	return;
-}
-/* concat: add tree level to buffer */
-static inline void
-bufAddLevel(uchar *buf, size_t *len, uint8_t level)
-{
-	memcpy(buf+*len, &level, sizeof(level));
-	*len += sizeof(level);
-}
-
-
-int
-hash_m_ksi(ksifile ksi, KSI_DataHash **m)
-{
-	int rgt;
-	uchar concatBuf[16*1024];
-	size_t len = 0;
-	int r = 0;
-
-	bufAddImprint(concatBuf, &len, ksi->x_prev);
-	bufAddIV(ksi, concatBuf, &len);
-	rgt = KSI_DataHash_create(ksi->ctx->ksi_ctx, concatBuf, len, ksi->hashAlg, m);
-	if(rgt != KSI_OK) {
-		reportKSIAPIErr(ksi->ctx, ksi, "KSI_DataHash_create", rgt);
-		r = RSGTE_HASH_CREATE;
-		goto done;
-	}
-done:	return r;
-}
-
-int
-hash_r_ksi(ksifile ksi, KSI_DataHash **r, const uchar *rec, const size_t len)
-{
-	int ret = 0, rgt;
-	rgt = KSI_DataHash_create(ksi->ctx->ksi_ctx, rec, len, ksi->hashAlg, r);
-	if(rgt != KSI_OK) {
-		reportKSIAPIErr(ksi->ctx, ksi, "KSI_DataHash_create", rgt);
-		ret = RSGTE_HASH_CREATE;
-		goto done;
-	}
-done:	return ret;
-}
-
-
-int
-hash_node_ksi(ksifile ksi, KSI_DataHash **node, KSI_DataHash *m, KSI_DataHash *rec,
-          uint8_t level)
-{
-	int r = 0, rgt;
-	uchar concatBuf[16*1024];
-	size_t len = 0;
-
-	bufAddHash(ksi, concatBuf, &len, m);
-	bufAddHash(ksi, concatBuf, &len, rec);
-	bufAddLevel(concatBuf, &len, level);
-	rgt = KSI_DataHash_create(ksi->ctx->ksi_ctx, concatBuf, len, ksi->hashAlg, node);
-	if(rgt != KSI_OK) {
-		reportKSIAPIErr(ksi->ctx, ksi, "KSI_DataHash_create", rgt);
-		r = RSGTE_HASH_CREATE;
-		goto done;
-	}
-done:	return r;
-}
-
-
-int
-sigblkAddRecordKSI(ksifile ksi, const uchar *rec, const size_t len)
-{
-	KSI_DataHash *x; /* current hash */
-	KSI_DataHash *m, *r, *t, *t_del;
-	uint8_t j;
-	int ret = 0;
-
-	if(ksi == NULL || ksi->disabled) goto done;
-	if((ret = hash_m_ksi(ksi, &m)) != 0) goto done;
-	if((ret = hash_r_ksi(ksi, &r, rec, len)) != 0) goto done;
-	if(ksi->nRecords == 0) 
-		tlvWriteBlockHdrKSI(ksi);
-	if(ksi->bKeepRecordHashes)
-		tlvWriteHashKSI(ksi, 0x0902, r);
-	if((ret = hash_node_ksi(ksi, &x, m, r, 1)) != 0) goto done; /* hash leaf */
-	/* persists x here if Merkle tree needs to be persisted! */
-	if(ksi->bKeepTreeHashes)
-		tlvWriteHashKSI(ksi, 0x0903, x);
-	rsksiimprintDel(ksi->x_prev);
-	ksi->x_prev = rsksiImprintFromKSI_DataHash(ksi, x);
-	/* add x to the forest as new leaf, update roots list */
-	t = x;
-	for(j = 0 ; j < ksi->nRoots ; ++j) {
-		if(ksi->roots_valid[j] == 0) {
-			ksi->roots_hash[j] = t;
-			ksi->roots_valid[j] = 1;
-			t = NULL;
-			break;
-		} else if(t != NULL) {
-			/* hash interim node */
-			t_del = t;
-			ret = hash_node_ksi(ksi, &t, ksi->roots_hash[j], t_del, j+2);
-			ksi->roots_valid[j] = 0;
-			KSI_DataHash_free(ksi->roots_hash[j]);
-			KSI_DataHash_free(t_del);
-			if(ret != 0) goto done;
-			if(ksi->bKeepTreeHashes)
-				tlvWriteHashKSI(ksi, 0x0903, t);
-		}
-	}
-	if(t != NULL) {
-		/* new level, append "at the top" */
-		ksi->roots_hash[ksi->nRoots] = t;
-		ksi->roots_valid[ksi->nRoots] = 1;
-		++ksi->nRoots;
-		assert(ksi->nRoots < MAX_ROOTS);
-		t = NULL;
-	}
-	++ksi->nRecords;
-
-	/* cleanup (x is cleared as part of the roots array) */
-	KSI_DataHash_free(m);
-	KSI_DataHash_free(r);
-
-	if(ksi->nRecords == ksi->blockSizeLimit) {
-		sigblkFinishKSI(ksi);
-		sigblkInitKSI(ksi);
-	}
-done:	
-	return ret;
-}
-
-static int
-signIt(ksifile ksi, KSI_DataHash *hash)
-{
-	unsigned char *der = NULL;
-	size_t lenDer = 0;
-	int r = KSI_OK;
-	int ret = 0;
-	KSI_Signature *sig = NULL;
-
-	/* Sign the root hash. */
-	r = KSI_Signature_createAggregated(ksi->ctx->ksi_ctx, hash, 0, &sig);
-	if(r != KSI_OK) {
-		reportKSIAPIErr(ksi->ctx, ksi, "KSI_Signature_createAggregated", r);
-		ret = 1;
-		goto done;
-	}
-
-	/* Sign the hash. */
-/*	r = KSI_createSignature(ksi->ctx->ksi_ctx, hash, &sig);
-	if(r != KSI_OK) {
-		reportKSIAPIErr(ksi->ctx, ksi, "KSI_createSignature", r);
-		ret = 1;
-		goto done;
-	}
-*/
-
-	/* Serialize Signature. */
-	r = KSI_Signature_serialize(sig, &der, &lenDer);
-	if(r != KSI_OK) {
-		reportKSIAPIErr(ksi->ctx, ksi, "KSI_Signature_serialize", r);
-		ret = 1;
-		goto done;
-	}
-
-	r = tlvWriteBlockSigKSI(ksi, der, lenDer);
-	if(r != KSI_OK) {
-		reportKSIAPIErr(ksi->ctx, ksi, "tlvWriteBlockSigKSI", r);
-		ret = 1;
-		goto done;
-	}
-
-	report(ksi->ctx, "KSI signature appended to file %s, block count %lu", ksi->sigfilename, ksi->nRecords);
-
-done:
-	if (sig != NULL)
-		KSI_Signature_free(sig);
-	if (der != NULL)
-		KSI_free(der);
-	return ret;
-}
-
-
-int
-sigblkFinishKSI(ksifile ksi)
-{
-	KSI_DataHash *root, *rootDel;
-	int8_t j;
-	int ret = 0;
-
-	if(ksi->nRecords == 0)
-		goto done;
-
-	root = NULL;
-	for(j = 0 ; j < ksi->nRoots ; ++j) {
-		if(root == NULL) {
-			root = ksi->roots_valid[j] ? ksi->roots_hash[j] : NULL;
-			ksi->roots_valid[j] = 0;
-		} else if(ksi->roots_valid[j]) {
-			rootDel = root;
-			ret = hash_node_ksi(ksi, &root, ksi->roots_hash[j], rootDel, j+2);
-			ksi->roots_valid[j] = 0;
-			KSI_DataHash_free(ksi->roots_hash[j]);
-			KSI_DataHash_free(rootDel);
-			if(ret != 0) goto done; /* checks hash_node_ksi() result! */
-		}
-	}
-	signIt(ksi, root);
-
-	KSI_DataHash_free(root);
-done:
-	ksi->bInBlk = 0;
-	return ret;
-}
-
-int
-rsksiSetAggregator(rsksictx ctx, char *uri, char *loginid, char *key)
-{
-	int r;
-	r = KSI_CTX_setAggregator(ctx->ksi_ctx, uri, loginid, key);
-	if(r != KSI_OK) {
-		reportKSIAPIErr(ctx, NULL, "KSI_CTX_setAggregator", r);
-	}
-	return r;
-}
diff --git a/runtime/librsksi.h b/runtime/librsksi.h
deleted file mode 100644
index 9990e5397..000000000
--- a/runtime/librsksi.h
+++ /dev/null
@@ -1,242 +0,0 @@
-/* librsksi.h - rsyslog's KSI support library
- *
- * Copyright 2013-2015 Adiscon GmbH.
- *
- * This file is part of rsyslog.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *       http://www.apache.org/licenses/LICENSE-2.0
- *       -or-
- *       see COPYING.ASL20 in the source distribution
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#ifndef INCLUDED_LIBRSKSI_H
-#define INCLUDED_LIBRSKSI_H
-#include <ksi/ksi.h>
-typedef enum KSI_HashAlgorithm_en KSI_HashAlgorithm;
-
-/* Max number of roots inside the forest. This permits blocks of up to
- * 2^MAX_ROOTS records. We assume that 64 is sufficient for all use
- * cases ;) [and 64 is not really a waste of memory, so we do not even
- * try to work with reallocs and such...]
- */
-
-/* context for gt calls. This primarily serves as a container for the
- * config settings. The actual file-specific data is kept in ksifile.
- */
-struct rsksictx_s {
-	KSI_CTX *ksi_ctx;	/* libksi's context object */
-	KSI_HashAlgorithm hashAlg;
-	uint8_t bKeepRecordHashes;
-	uint8_t bKeepTreeHashes;
-	uint64_t blockSizeLimit;
-	uid_t	fileUID;	/* IDs for creation */
-	uid_t	dirUID;
-	gid_t	fileGID;
-	gid_t	dirGID;
-	int fCreateMode; /* mode to use when creating files */
-	int fDirCreateMode; /* mode to use when creating files */
-	char *timestamper;
-	void (*errFunc)(void *, unsigned char*);
-	void (*logFunc)(void *, unsigned char*);
-	void *usrptr; /* for error function */
-};
-typedef struct rsksictx_s *rsksictx;
-typedef struct ksifile_s *ksifile;
-typedef struct ksierrctx_s ksierrctx_t;
-
-/* this describes a file, as far as librsksi is concerned */
-struct ksifile_s {
-	/* the following data items are mirrored from rsksictx to
-	 * increase cache hit ratio (they are frequently accesed).
-	 */
-	KSI_HashAlgorithm hashAlg;
-	uint8_t bKeepRecordHashes;
-	uint8_t bKeepTreeHashes;
-	/* end mirrored properties */
-	uint8_t disabled; /* permits to disable this file --> set to 1 */
-	uint64_t blockSizeLimit;
-	uint8_t *IV; /* initial value for blinding masks */
-	imprint_t *x_prev;		/* last leaf hash (maybe of previous block)		--> preserve on term */
-	unsigned char *sigfilename;
-	unsigned char *statefilename;
-	int fd;
-	uint64_t nRecords;  /* current number of records in current block */
-	uint64_t bInBlk;    /* are we currently inside a blk --> need to finish on close */
-	int8_t nRoots;
-	/* algo engineering: roots structure is split into two arrays
-	 * in order to improve cache hits.
-	 */
-	int8_t roots_valid[MAX_ROOTS];
-	KSI_DataHash *roots_hash[MAX_ROOTS];
-	/* data members for the associated TLV file */
-	char	tlvBuf[4096];
-	int	tlvIdx; /* current index into tlvBuf */
-	rsksictx ctx;
-};
-
-/* The following structure describes the "error context" to be used
- * for verification and similiar reader functions. While verifying,
- * we need some information (like filenames or block numbers) that
- * is not readily available from the other objects (or not even known
- * to librsksi). In order to provide meaningful error messages, this
- * information must be passed in from the external callers. In order
- * to centralize information (and make it more manageable), we use
- * ths error context here, which contains everything needed to
- * generate good error messages. Members of this structure are
- * maintained both by library users (the callers) as well as
- * the library itself. Who does what simply depends on who has
- * the relevant information.
- */
-struct ksierrctx_s {
-	FILE *fp;	/**< file for error messages */
-	char *filename;
-	uint8_t verbose;
-	uint64_t recNumInFile;
-	uint64_t recNum;
-	uint64_t blkNum;
-	uint8_t treeLevel;
-	KSI_DataHash *computedHash;
-	KSI_DataHash *lefthash, *righthash; /* hashes to display if tree hash fails */
-	imprint_t *fileHash;
-	int ksistate;	/* status from last relevant GT.*() function call */
-	char *errRec;
-	char *frstRecInBlk; /* This holds the first message seen inside the current block */
-};
-
-/* the following defines the ksistate file record. Currently, this record
- * is fixed, we may change that over time.
- */
-struct rsksistatefile {
-	char hdr[9];	/* must be "KSISTAT10" */
-	uint8_t hashID;
-	uint8_t lenHash;
-	/* after that, the hash value is contained within the file */
-};
-
-/* error states */
-#define RSGTE_SUCCESS 0 /* Success state */
-#define RSGTE_IO 1 	/* any kind of io error */
-#define RSGTE_FMT 2	/* data fromat error */
-#define RSGTE_INVLTYP 3	/* invalid TLV type record (unexcpected at this point) */
-#define RSGTE_OOM 4	/* ran out of memory */
-#define RSGTE_LEN 5	/* error related to length records */
-#define RSGTE_SIG_EXTEND 6/* error extending signature */
-#define RSGTE_INVLD_RECCNT 7/* mismatch between actual records and records
-                               given in block-sig record */
-#define RSGTE_INVLHDR 8/* invalid file header */
-#define RSGTE_EOF 9 	/* specific EOF */
-#define RSGTE_MISS_REC_HASH 10 /* record hash missing when expected */
-#define RSGTE_MISS_TREE_HASH 11 /* tree hash missing when expected */
-#define RSGTE_INVLD_REC_HASH 12 /* invalid record hash (failed verification) */
-#define RSGTE_INVLD_TREE_HASH 13 /* invalid tree hash (failed verification) */
-#define RSGTE_INVLD_REC_HASHID 14 /* invalid record hash ID (failed verification) */
-#define RSGTE_INVLD_TREE_HASHID 15 /* invalid tree hash ID (failed verification) */
-#define RSGTE_MISS_BLOCKSIG 16 /* block signature record missing when expected */
-#define RSGTE_INVLD_SIGNATURE 17 /* Signature is invalid (KSI_Signature_verifyDataHash)*/
-#define RSGTE_TS_CREATEHASH 18 /* error creating HASH (KSI_DataHash_create) */
-#define RSGTE_TS_DERENCODE 19 /* error DER-Encoding a timestamp */
-#define RSGTE_HASH_CREATE 20 /* error creating a hash */
-#define RSGTE_END_OF_SIG 21 /* unexpected end of signature - more log line exist */
-#define RSGTE_END_OF_LOG 22 /* unexpected end of log file - more signatures exist */
-#define RSGTE_EXTRACT_HASH 23 /* error extracting hashes for record */
-#define RSGTE_CONFIG_ERROR 24 /* Configuration error */
-#define RSGTE_NETWORK_ERROR 25 /* Network error */
-#define RSGTE_MISS_KSISIG 26 /* KSI signature missing */
-
-const char * RSKSIE2String(int err);
-uint16_t hashOutputLengthOctetsKSI(uint8_t hashID);
-uint8_t hashIdentifierKSI(KSI_HashAlgorithm hashID);
-const char * hashAlgNameKSI(uint8_t hashID);
-KSI_HashAlgorithm hashID2AlgKSI(uint8_t hashID);
-
-#define getIVLenKSI(bh) (hashOutputLengthOctetsKSI((bh)->hashID))
-#define rsksiSetBlockSizeLimit(ctx, limit) ((ctx)->blockSizeLimit = limit)
-#define rsksiSetKeepRecordHashes(ctx, val) ((ctx)->bKeepRecordHashes = val)
-#define rsksiSetKeepTreeHashes(ctx, val) ((ctx)->bKeepTreeHashes = val)
-#define rsksiSetFileUID(ctx, val) ((ctx)->fileUID = val)	/* IDs for creation */
-#define rsksiSetDirUID(ctx, val) ((ctx)->dirUID = val)
-#define rsksiSetFileGID(ctx, val) ((ctx)->fileGID= val)
-#define rsksiSetDirGID(ctx, val) ((ctx)->dirGID = val)
-#define rsksiSetCreateMode(ctx, val) ((ctx)->fCreateMode= val)
-#define rsksiSetDirCreateMode(ctx, val) ((ctx)->fDirCreateMode = val)
-
-
-
-int rsksiSetAggregator(rsksictx ctx, char *uri, char *loginid, char *key);
-int rsksiSetHashFunction(rsksictx ctx, char *algName);
-int rsksiInit(char *usragent);
-void rsksiExit(void);
-rsksictx rsksiCtxNew(void);
-void rsksisetErrFunc(rsksictx ctx, void (*func)(void*, unsigned char *), void *usrptr);
-void rsksisetLogFunc(rsksictx ctx, void (*func)(void*, unsigned char *), void *usrptr);
-void reportKSIAPIErr(rsksictx ctx, ksifile ksi, const char *apiname, int ecode);
-ksifile rsksiCtxOpenFile(rsksictx ctx, unsigned char *logfn);
-int rsksifileDestruct(ksifile ksi);
-void rsksiCtxDel(rsksictx ctx);
-void sigblkInitKSI(ksifile ksi);
-int sigblkAddRecordKSI(ksifile ksi, const unsigned char *rec, const size_t len);
-int sigblkFinishKSI(ksifile ksi);
-int rsksiIntoImprintFromKSI_DataHash(imprint_t* imp, ksifile ksi, KSI_DataHash *hash);
-imprint_t* rsksiImprintFromKSI_DataHash(ksifile ksi, KSI_DataHash *hash);
-void rsksiimprintDel(imprint_t *imp);
-/* reader functions */
-int rsksi_tlvrdHeader(FILE *fp, unsigned char *hdr);
-int rsksi_tlvrd(FILE *fp, tlvrecord_t *rec, void *obj);
-void rsksi_tlvprint(FILE *fp, uint16_t tlvtype, void *obj, uint8_t verbose);
-void rsksi_printBLOCK_HDR(FILE *fp, block_hdr_t *bh, uint8_t verbose);
-void rsksi_printBLOCK_SIG(FILE *fp, block_sig_t *bs, uint8_t verbose);
-int rsksi_getBlockParams(FILE *fp, uint8_t bRewind, block_sig_t **bs, block_hdr_t **bh, uint8_t *bHasRecHashes,
-uint8_t *bHasIntermedHashes);
-int rsksi_getExcerptBlockParams(FILE *fp, uint8_t bRewind, block_sig_t **bs, block_hdr_t **bh); 
-int rsksi_chkFileHdr(FILE *fp, char *expect, uint8_t verbose);
-ksifile rsksi_vrfyConstruct_gf(void);
-void rsksi_vrfyBlkInit(ksifile ksi, block_hdr_t *bh, uint8_t bHasRecHashes, uint8_t bHasIntermedHashes);
-int rsksi_vrfy_nextRec(ksifile ksi, FILE *sigfp, FILE *nsigfp, unsigned char *rec, size_t len, ksierrctx_t *ectx);
-int rsksi_vrfy_nextRecExtract(ksifile ksi, FILE *sigfp, FILE *nsigfp, unsigned char *rec, size_t len,
-ksierrctx_t *ectx, block_hashchain_t *hashchain, int storehashchain); 
-int rsksi_vrfy_nextHashChain(ksifile ksi, block_sig_t *bs, FILE *sigfp, unsigned char *rec, size_t len,
-ksierrctx_t *ectx);
-int verifyBLOCK_HDRKSI(FILE *sigfp, FILE *nsigfp, tlvrecord_t* tlvrec);
-int verifyBLOCK_SIGKSI(block_sig_t *bs, ksifile ksi, FILE *sigfp, FILE *nsigfp, uint8_t bExtend,
-KSI_DataHash *ksiHash, ksierrctx_t *ectx);
-void rsksi_errctxInit(ksierrctx_t *ectx);
-void rsksi_errctxExit(ksierrctx_t *ectx);
-void rsksi_errctxSetErrRec(ksierrctx_t *ectx, char *rec);
-void rsksi_errctxFrstRecInBlk(ksierrctx_t *ectx, char *rec);
-void rsksi_objfree(uint16_t tlvtype, void *obj);
-void rsksi_set_debug(int iDebug); 
-int rsksi_ConvertSigFile(FILE *oldsigfp, FILE *newsigfp, int verbose); 
-int rsksi_WriteHashChain(FILE *newsigfp, block_hashchain_t *hashchain, int verbose); 
-int rsksi_ExtractBlockSignature(FILE *newsigfp, block_sig_t *bsIn); 
-int rsksi_tlvwrite(FILE *fp, tlvrecord_t *rec); 
-int rsksi_tlvRecDecode(tlvrecord_t *rec, void *obj); 
-int rsksi_tlvDecodeIMPRINT(tlvrecord_t *rec, imprint_t **imprint); 
-int rsksi_tlvDecodeHASHCHAIN(tlvrecord_t *rec, block_hashchain_t **blhashchain); 
-int verifySigblkFinish(ksifile ksi, KSI_DataHash **pRoot); 
-int verifySigblkFinishChain(ksifile ksi, block_hashchain_t *hashchain, KSI_DataHash **pRoot, ksierrctx_t *ectx); 
-void outputHash(FILE *fp, const char *hdr, const uint8_t *data, const uint16_t len, const uint8_t verbose); 
-void outputKSIHash(FILE *fp, const char *hdr, const KSI_DataHash *const __restrict__ hash, const uint8_t verbose); 
-int rsksi_setDefaultConstraint(ksifile ksi, char *stroid, char *strvalue);
-
-/* TODO: replace these? */
-int hash_m_ksi(ksifile ksi, KSI_DataHash **m);
-int hash_r_ksi(ksifile ksi, KSI_DataHash **r, const unsigned char *rec, const size_t len);
-int hash_node_ksi(ksifile ksi, KSI_DataHash **node, KSI_DataHash *m, KSI_DataHash *r, uint8_t level);
-extern const char *rsksi_read_puburl;		/**< url of publication server */
-extern const char *rsksi_extend_puburl;	/**< url of extension server */
-extern const char *rsksi_userid;			/**< userid for extension server */
-extern const char *rsksi_userkey;			/**< userkey for extension server */
-extern uint8_t rsksi_read_showVerified;
-extern int RSKSI_FLAG_TLV16_RUNTIME;
-extern int RSKSI_FLAG_NONCRIT_RUNTIME; 
-
-#endif  /* #ifndef INCLUDED_LIBRSKSI_H */
diff --git a/runtime/lmsig_ksi.c b/runtime/lmsig_ksi.c
deleted file mode 100644
index 84398e1c6..000000000
--- a/runtime/lmsig_ksi.c
+++ /dev/null
@@ -1,279 +0,0 @@
-/* lmsig_ksi.c
- *
- * An implementation of the sigprov interface for KSI.
- * 
- * Copyright 2013-2016 Rainer Gerhards and Adiscon GmbH.
- *
- * This file is part of the rsyslog runtime library.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *       http://www.apache.org/licenses/LICENSE-2.0
- *       -or-
- *       see COPYING.ASL20 in the source distribution
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#include "config.h"
-
-#include "rsyslog.h"
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "module-template.h"
-#include "glbl.h"
-#include "errmsg.h"
-#include "sigprov.h"
-#include "lmsig_ksi.h"
-
-MODULE_TYPE_LIB
-MODULE_TYPE_NOKEEP
-
-/* static data */
-DEFobjStaticHelpers
-DEFobjCurrIf(errmsg)
-DEFobjCurrIf(glbl)
-
-/* tables for interfacing with the v6 config system */
-static struct cnfparamdescr cnfpdescr[] = {
-	{ "sig.hashfunction", eCmdHdlrGetWord, 0 },
-	{ "sig.aggregator.uri", eCmdHdlrGetWord, CNFPARAM_REQUIRED },
-	{ "sig.aggregator.user", eCmdHdlrGetWord, CNFPARAM_REQUIRED },
-	{ "sig.aggregator.key", eCmdHdlrGetWord, CNFPARAM_REQUIRED },
-	{ "sig.block.sizelimit", eCmdHdlrSize, 0 },
-	{ "sig.keeprecordhashes", eCmdHdlrBinary, 0 },
-	{ "sig.keeptreehashes", eCmdHdlrBinary, 0 },
-	{ "dirowner", eCmdHdlrUID, 0 }, /* legacy: dirowner */
-	{ "dirownernum", eCmdHdlrInt, 0 }, /* legacy: dirownernum */
-	{ "dirgroup", eCmdHdlrGID, 0 }, /* legacy: dirgroup */
-	{ "dirgroupnum", eCmdHdlrInt, 0 }, /* legacy: dirgroupnum */
-	{ "fileowner", eCmdHdlrUID, 0 }, /* legacy: fileowner */
-	{ "fileownernum", eCmdHdlrInt, 0 }, /* legacy: fileownernum */
-	{ "filegroup", eCmdHdlrGID, 0 }, /* legacy: filegroup */
-	{ "filegroupnum", eCmdHdlrInt, 0 }, /* legacy: filegroupnum */
-	{ "dircreatemode", eCmdHdlrFileCreateMode, 0 }, /* legacy: dircreatemode */
-	{ "filecreatemode", eCmdHdlrFileCreateMode, 0 } /* legacy: filecreatemode */
-};
-static struct cnfparamblk pblk =
-	{ CNFPARAMBLK_VERSION,
-	  sizeof(cnfpdescr)/sizeof(struct cnfparamdescr),
-	  cnfpdescr
-	};
-
-
-static void
-errfunc(__attribute__((unused)) void *usrptr, uchar *emsg)
-{
-	errmsg.LogError(0, RS_RET_SIGPROV_ERR, "KSI Signature Provider"
-		"Error: %s", emsg);
-}
-
-static void
-logfunc(__attribute__((unused)) void *usrptr, uchar *emsg)
-{
-	errmsg.LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
-		"KSI Signature Provider: %s", emsg);
-}
-
-
-/* Standard-Constructor
- */
-BEGINobjConstruct(lmsig_ksi)
-	pThis->ctx = rsksiCtxNew();
-	rsksisetErrFunc(pThis->ctx, errfunc, NULL);
-	rsksisetLogFunc(pThis->ctx, logfunc, NULL);
-ENDobjConstruct(lmsig_ksi)
-
-
-/* destructor for the lmsig_ksi object */
-BEGINobjDestruct(lmsig_ksi) /* be sure to specify the object type also in END and CODESTART macros! */
-CODESTARTobjDestruct(lmsig_ksi)
-	rsksiCtxDel(pThis->ctx);
-ENDobjDestruct(lmsig_ksi)
-
-
-/* apply all params from param block to us. This must be called
- * after construction, but before the OnFileOpen() entry point.
- * Defaults are expected to have been set during construction.
- */
-static rsRetVal
-SetCnfParam(void *pT, struct nvlst *lst)
-{
-	char *ag_uri = NULL, *ag_loginid = NULL, *ag_key = NULL;
-	lmsig_ksi_t *pThis = (lmsig_ksi_t*) pT;
-	int i;
-	uchar *cstr;
-	struct cnfparamvals *pvals;
-	DEFiRet;
-	pvals = nvlstGetParams(lst, &pblk, NULL);
-	if(pvals == NULL) {
-		ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
-	}
-	if(Debug) {
-		dbgprintf("sig param blk in lmsig_ksi:\n");
-		cnfparamsPrint(&pblk, pvals);
-	}
-
-	for(i = 0 ; i < pblk.nParams ; ++i) {
-		if(!pvals[i].bUsed)
-			continue;
-		if(!strcmp(pblk.descr[i].name, "sig.hashfunction")) {
-			cstr = (uchar*) es_str2cstr(pvals[i].val.d.estr, NULL);
-			if(rsksiSetHashFunction(pThis->ctx, (char*)cstr) == 2) {
-				errmsg.LogError(0, RS_RET_ERR, "Hash function "
-					"'%s' has been removed due to insecurity - "
-					"using default", cstr);
-			} else if(rsksiSetHashFunction(pThis->ctx, (char*)cstr) != 0) {
-				errmsg.LogError(0, RS_RET_ERR, "Hash function "
-					"'%s' unknown - using default", cstr);
-			}
-			free(cstr);
-		} else if(!strcmp(pblk.descr[i].name, "sig.aggregator.uri")) {
-			ag_uri = es_str2cstr(pvals[i].val.d.estr, NULL);
-		} else if(!strcmp(pblk.descr[i].name, "sig.aggregator.user")) {
-			ag_loginid = es_str2cstr(pvals[i].val.d.estr, NULL);
-		} else if(!strcmp(pblk.descr[i].name, "sig.aggregator.key")) {
-			ag_key = es_str2cstr(pvals[i].val.d.estr, NULL);
-		} else if(!strcmp(pblk.descr[i].name, "sig.block.sizelimit")) {
-			rsksiSetBlockSizeLimit(pThis->ctx, pvals[i].val.d.n);
-		} else if(!strcmp(pblk.descr[i].name, "sig.keeprecordhashes")) {
-			rsksiSetKeepRecordHashes(pThis->ctx, pvals[i].val.d.n);
-		} else if(!strcmp(pblk.descr[i].name, "sig.keeptreehashes")) {
-			rsksiSetKeepTreeHashes(pThis->ctx, pvals[i].val.d.n);
-		} else if (!strcmp(pblk.descr[i].name, "dirowner")) {
-			rsksiSetDirUID(pThis->ctx, pvals[i].val.d.n);
-		} else if (!strcmp(pblk.descr[i].name, "dirownernum")) {
-			rsksiSetDirUID(pThis->ctx, pvals[i].val.d.n);
-		} else if (!strcmp(pblk.descr[i].name, "dirgroup")) {
-			rsksiSetDirGID(pThis->ctx, pvals[i].val.d.n);
-		} else if (!strcmp(pblk.descr[i].name, "dirgroupnum")) {
-			rsksiSetDirGID(pThis->ctx, pvals[i].val.d.n);
-		} else if (!strcmp(pblk.descr[i].name, "fileowner")) {
-			rsksiSetFileUID(pThis->ctx, pvals[i].val.d.n);
-		} else if (!strcmp(pblk.descr[i].name, "fileownernum")) {
-			rsksiSetFileUID(pThis->ctx, pvals[i].val.d.n);
-		} else if (!strcmp(pblk.descr[i].name, "filegroup")) {
-			rsksiSetFileGID(pThis->ctx, pvals[i].val.d.n);
-		} else if (!strcmp(pblk.descr[i].name, "filegroupnum")) {
-			rsksiSetFileGID(pThis->ctx, pvals[i].val.d.n);
-		} else if (!strcmp(pblk.descr[i].name, "dircreatemode")) {
-			rsksiSetDirCreateMode(pThis->ctx, pvals[i].val.d.n);
-		} else if (!strcmp(pblk.descr[i].name, "filecreatemode")) {
-			rsksiSetCreateMode(pThis->ctx, pvals[i].val.d.n);
-		} else {
-			DBGPRINTF("lmsig_ksi: program error, non-handled "
-			  "param '%s'\n", pblk.descr[i].name);
-		}
-	}
-
-	if(rsksiSetAggregator(pThis->ctx, ag_uri, ag_loginid, ag_key) != KSI_OK)
-		ABORT_FINALIZE(RS_RET_KSI_ERR);
-
-	free(ag_uri);
-	free(ag_loginid);
-	free(ag_key);
-finalize_it:
-	if(pvals != NULL)
-		cnfparamvalsDestruct(pvals, &pblk);
-	RETiRet;
-}
-
-
-static rsRetVal
-OnFileOpen(void *pT, uchar *fn, void *pGF)
-{
-	lmsig_ksi_t *pThis = (lmsig_ksi_t*) pT;
-	ksifile *pgf = (ksifile*) pGF;
-	DEFiRet;
-	DBGPRINTF("lmsig_ksi: onFileOpen: %s\n", fn);
-	/* note: if *pgf is set to NULL, this auto-disables GT functions */
-	*pgf = rsksiCtxOpenFile(pThis->ctx, fn);
-	sigblkInitKSI(*pgf);
-	RETiRet;
-}
-
-/* Note: we assume that the record is terminated by a \n.
- * As of the GuardTime paper, \n is not part of the signed
- * message, so we subtract one from the record size. This
- * may cause issues with non-standard formats, but let's 
- * see how things evolve (the verifier will not work in
- * any case when the records are not \n delimited...).
- * rgerhards, 2013-03-17
- */
-static rsRetVal
-OnRecordWrite(void *pF, uchar *rec, rs_size_t lenRec)
-{
-	DEFiRet;
-	DBGPRINTF("lmsig_ksi: onRecordWrite (%d): %s\n", lenRec-1, rec);
-	sigblkAddRecordKSI(pF, rec, lenRec-1);
-
-	RETiRet;
-}
-
-static rsRetVal
-OnFileClose(void *pF)
-{
-	DEFiRet;
-	DBGPRINTF("lmsig_ksi: onFileClose\n");
-	rsksifileDestruct(pF);
-
-	RETiRet;
-}
-
-BEGINobjQueryInterface(lmsig_ksi)
-CODESTARTobjQueryInterface(lmsig_ksi)
-	 if(pIf->ifVersion != sigprovCURR_IF_VERSION) {/* check for current version, increment on each change */
-		ABORT_FINALIZE(RS_RET_INTERFACE_NOT_SUPPORTED);
-	}
-	pIf->Construct = (rsRetVal(*)(void*)) lmsig_ksiConstruct;
-	pIf->SetCnfParam = SetCnfParam;
-	pIf->Destruct = (rsRetVal(*)(void*)) lmsig_ksiDestruct;
-	pIf->OnFileOpen = OnFileOpen;
-	pIf->OnRecordWrite = OnRecordWrite;
-	pIf->OnFileClose = OnFileClose;
-finalize_it:
-ENDobjQueryInterface(lmsig_ksi)
-
-
-BEGINObjClassExit(lmsig_ksi, OBJ_IS_LOADABLE_MODULE) /* CHANGE class also in END MACRO! */
-CODESTARTObjClassExit(lmsig_ksi)
-	/* release objects we no longer need */
-	objRelease(errmsg, CORE_COMPONENT);
-	objRelease(glbl, CORE_COMPONENT);
-ENDObjClassExit(lmsig_ksi)
-
-
-BEGINObjClassInit(lmsig_ksi, 1, OBJ_IS_LOADABLE_MODULE) /* class, version */
-	/* request objects we use */
-	CHKiRet(objUse(errmsg, CORE_COMPONENT));
-	CHKiRet(objUse(glbl, CORE_COMPONENT));
-ENDObjClassInit(lmsig_ksi)
-
-
-/* --------------- here now comes the plumbing that makes as a library module --------------- */
-
-
-BEGINmodExit
-CODESTARTmodExit
-	lmsig_ksiClassExit();
-ENDmodExit
-
-
-BEGINqueryEtryPt
-CODESTARTqueryEtryPt
-CODEqueryEtryPt_STD_LIB_QUERIES
-ENDqueryEtryPt
-
-
-BEGINmodInit()
-CODESTARTmodInit
-	*ipIFVersProvided = CURR_MOD_IF_VERSION;
-	CHKiRet(lmsig_ksiClassInit(pModInfo));
-ENDmodInit
diff --git a/runtime/lmsig_ksi.h b/runtime/lmsig_ksi.h
deleted file mode 100644
index e0685c335..000000000
--- a/runtime/lmsig_ksi.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/* An implementation of the sigprov interface for KSI.
- *
- * Copyright 2013-2015 Adiscon GmbH.
- *
- * This file is part of the rsyslog runtime library.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *       http://www.apache.org/licenses/LICENSE-2.0
- *       -or-
- *       see COPYING.ASL20 in the source distribution
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#ifndef INCLUDED_LMSIG_KSI_H
-#define INCLUDED_LMSIG_KSI_H
-#include "sigprov.h"
-#include "librsgt_common.h"
-#include "librsksi.h"
-
-/* interface is defined in sigprov.h, we just implement it! */
-#define lmsig_ksiCURR_IF_VERSION sigprovCURR_IF_VERSION
-typedef sigprov_if_t lmsig_ksi_if_t;
-
-/* the lmsig_ksi object */
-struct lmsig_ksi_s {
-	BEGINobjInstance; /* Data to implement generic object - MUST be the first data element! */
-	rsksictx ctx;	/* librsksi context - contains all we need */
-};
-typedef struct lmsig_ksi_s lmsig_ksi_t;
-
-/* prototypes */
-PROTOTYPEObj(lmsig_ksi);
-
-#endif /* #ifndef INCLUDED_LMSIG_KSI_H */
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 66c3edf0a..e52e70161 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -278,25 +278,6 @@ TESTS +=  \
 	fac_local0-vg.sh
 endif # HAVE_VALGRIND
 
-if ENABLE_USERTOOLS
-if ENABLE_GT_KSI
-TESTS +=  \
-	ksi-verify-short.sh \
-	ksi-verify-long.sh \
-	ksi-verify-cnstr-short.sh \
-	ksi-verify-cnstr-long.sh \
-	ksi-extract-verify-short.sh \
-	ksi-extract-verify-long.sh 
-if HAVE_VALGRIND
-TESTS +=  \
-	ksi-verify-short-vg.sh \
-	ksi-verify-long-vg.sh \
-	ksi-extract-verify-short-vg.sh \
-	ksi-extract-verify-long-vg.sh 
-endif
-endif
-endif
-
 if ENABLE_OMJOURNAL
 TESTS +=  \
 	omjournal-abort-template.sh \
@@ -1527,18 +1508,6 @@ EXTRA_DIST= \
 	json_var_case.sh \
 	testsuites/json_var_case.conf \
 	cfg.sh \
-	testsuites/ksi-sample.log \
-	testsuites/ksi-sample.log.ksisig \
-	ksi-verify-short.sh \
-	ksi-verify-long.sh \
-	ksi-extract-verify-short.sh \
-	ksi-extract-verify-long.sh \
-	ksi-verify-cnstr-short.sh \
-	ksi-verify-cnstr-long.sh \
-	ksi-verify-short-vg.sh \
-	ksi-verify-long-vg.sh \
-	ksi-extract-verify-short-vg.sh \
-	ksi-extract-verify-long-vg.sh \
 	empty-prop-comparison.sh \
 	sndrcv_tls_anon_rebind.sh \
 	testsuites/sndrcv_tls_anon_rebind_sender.conf \
diff --git a/tests/ksi-extract-verify-long-vg.sh b/tests/ksi-extract-verify-long-vg.sh
deleted file mode 100755
index 54fc885fa..000000000
--- a/tests/ksi-extract-verify-long-vg.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/bash
-# rsgtutil utility test 
-#	Extract lines from sample logdata and verifies against public 
-#	ksi verification repository. Test uses valgrind.
-#
-# This file is part of the rsyslog project, released under ASL 2.0
-#
-# Copyright 2016 Rainer Gerhards and Adiscon GmbH.
-RSYSLOG_KSI_BIN="http://verify.guardtime.com/ksi-publications.bin"
-RSYSLOG_KSI_DEBUG="--show-verified"
-RSYSLOG_KSI_LOG="ksi-sample.log"
-
-echo "[ksi-extract-verify-long-vg.sh]: testing rsgtutil extract with valgrind - long options"
-. $srcdir/diag.sh init
-
-echo "running rsgtutil extract command"
-valgrind $RS_TESTBENCH_VALGRIND_EXTRA_OPTS --log-fd=1 --error-exitcode=10 --malloc-fill=ff --free-fill=fe --leak-check=full ../tools/rsgtutil $RSYSLOG_KSI_DEBUG --extract 4,8,21 --output $srcdir/ksi-export.log --publications-server $RSYSLOG_KSI_BIN $srcdir/testsuites/$RSYSLOG_KSI_LOG
-
-RSYSLOGD_EXIT=$?
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
-	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
-		echo "[ksi-extract-verify-long-vg.sh]: rsgtutil extract failed with service unavailable (does not generate an error)"
-		exit 77;
-	else
-		echo "[ksi-extract-verify-long-vg.sh]: rsgtutil extract failed with error: " $RSYSLOGD_EXIT
-		exit 1;
-	fi 
-fi
-
-echo "running rsgtutil verify command"
-valgrind $RS_TESTBENCH_VALGRIND_EXTRA_OPTS --log-fd=1 --error-exitcode=10 --malloc-fill=ff --free-fill=fe --leak-check=full ../tools/rsgtutil $RSYSLOG_KSI_DEBUG --verify --publications-server http://verify.guardtime.com/ksi-publications.bin $srcdir/ksi-export.log
-
-RSYSLOGD_EXIT=$?
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
-	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
-		echo "[ksi-extract-verify-long-vg.sh]: rsgtutil verify failed with service unavailable (does not generate an error)"
-		exit 77;
-	else
-		echo "[ksi-extract-verify-long-vg.sh]: rsgtutil verify failed with error: " $RSYSLOGD_EXIT
-		exit 1;
-	fi 
-fi
-
-# Cleanup temp files
-rm -f $srcdir/ksi-export.*
-
-echo SUCCESS: rsgtutil extract with valgrind - long options
\ No newline at end of file
diff --git a/tests/ksi-extract-verify-long.sh b/tests/ksi-extract-verify-long.sh
deleted file mode 100755
index 6fab31ca2..000000000
--- a/tests/ksi-extract-verify-long.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/bash
-# rsgtutil utility test 
-#	Extract lines from sample logdata and verifies against public 
-#	ksi verification repository. 
-#
-# This file is part of the rsyslog project, released under ASL 2.0
-#
-# Copyright 2016 Rainer Gerhards and Adiscon GmbH.
-RSYSLOG_KSI_BIN="http://verify.guardtime.com/ksi-publications.bin"
-RSYSLOG_KSI_DEBUG="--show-verified"
-RSYSLOG_KSI_LOG="ksi-sample.log"
-
-echo "[ksi-extract-verify-long.sh]: testing rsgtutil extract function - long options"
-. $srcdir/diag.sh init
-
-echo "running rsgtutil extract command"
-../tools/rsgtutil $RSYSLOG_KSI_DEBUG --extract 4,8,21 --output $srcdir/ksi-export.log --publications-server http://verify.guardtime.com/ksi-publications.bin $srcdir/testsuites/$RSYSLOG_KSI_LOG
-
-RSYSLOGD_EXIT=$?
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
-	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
-		echo "[ksi-extract-verify-long.sh]: rsgtutil extract failed with service unavailable (does not generate an error)"
-		exit 77;
-	else
-		echo "[ksi-extract-verify-long.sh]: rsgtutil extract failed with error: " $RSYSLOGD_EXIT
-		exit 1;
-	fi 
-fi
-
-echo "running rsgtutil verify command"
-../tools/rsgtutil $RSYSLOG_KSI_DEBUG --verify --publications-server http://verify.guardtime.com/ksi-publications.bin $srcdir/ksi-export.log
-
-RSYSLOGD_EXIT=$?
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
-	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
-		echo "[ksi-extract-verify-long.sh]: rsgtutil verify failed with service unavailable (does not generate an error)"
-		exit 77;
-	else
-		echo "[ksi-extract-verify-long.sh]: rsgtutil verify failed with error: " $RSYSLOGD_EXIT
-		exit 1;
-	fi 
-fi
-
-# Cleanup temp files
-rm -f $srcdir/ksi-export.*
-
-echo SUCCESS: rsgtutil extract function - long options
\ No newline at end of file
diff --git a/tests/ksi-extract-verify-short-vg.sh b/tests/ksi-extract-verify-short-vg.sh
deleted file mode 100755
index c02e9ade2..000000000
--- a/tests/ksi-extract-verify-short-vg.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/bash
-# rsgtutil utility test 
-#	Extract lines from sample logdata and verifies against public 
-#	ksi verification repository. Test uses valgrind.
-#
-# This file is part of the rsyslog project, released under ASL 2.0
-#
-# Copyright 2016 Rainer Gerhards and Adiscon GmbH.
-RSYSLOG_KSI_BIN="http://verify.guardtime.com/ksi-publications.bin"
-RSYSLOG_KSI_DEBUG="-s"
-RSYSLOG_KSI_LOG="ksi-sample.log"
-
-echo "[ksi-extract-verify-short-vg.sh]: testing rsgtutil extract with valgrind - short options"
-. $srcdir/diag.sh init
-
-echo "running rsgtutil extract command"
-valgrind $RS_TESTBENCH_VALGRIND_EXTRA_OPTS --log-fd=1 --error-exitcode=10 --malloc-fill=ff --free-fill=fe --leak-check=full ../tools/rsgtutil $RSYSLOG_KSI_DEBUG -x 4,8,21 -o $srcdir/ksi-export.log -P http://verify.guardtime.com/ksi-publications.bin $srcdir/testsuites/$RSYSLOG_KSI_LOG
-
-RSYSLOGD_EXIT=$?
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
-	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
-		echo "[ksi-extract-verify-short-vg.sh]: rsgtutil extract failed with service unavailable (does not generate an error)"
-		exit 77;
-	else
-		echo "[ksi-extract-verify-short-vg.sh]: rsgtutil extract failed with error: " $RSYSLOGD_EXIT
-		exit 1;
-	fi 
-fi
-
-echo "running rsgtutil verify command"
-valgrind $RS_TESTBENCH_VALGRIND_EXTRA_OPTS --log-fd=1 --error-exitcode=10 --malloc-fill=ff --free-fill=fe --leak-check=full ../tools/rsgtutil $RSYSLOG_KSI_DEBUG -t -P http://verify.guardtime.com/ksi-publications.bin $srcdir/ksi-export.log
-
-RSYSLOGD_EXIT=$?
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
-	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
-		echo "[ksi-extract-verify-short-vg.sh]: rsgtutil verify failed with service unavailable (does not generate an error)"
-		exit 77;
-	else
-		echo "[ksi-extract-verify-short-vg.sh]: rsgtutil verify failed with error: " $RSYSLOGD_EXIT
-		exit 1;
-	fi 
-fi
-
-# Cleanup temp files
-rm -f $srcdir/ksi-export.*
-
-echo SUCCESS: rsgtutil extract with valgrind - short options
\ No newline at end of file
diff --git a/tests/ksi-extract-verify-short.sh b/tests/ksi-extract-verify-short.sh
deleted file mode 100755
index 9de871404..000000000
--- a/tests/ksi-extract-verify-short.sh
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/bash
-# rsgtutil utility test 
-#	Extract lines from sample logdata and verifies against public 
-#	ksi verification repository. 
-#
-# This file is part of the rsyslog project, released under ASL 2.0
-#
-# Copyright 2016 Rainer Gerhards and Adiscon GmbH.
-RSYSLOG_KSI_BIN="http://verify.guardtime.com/ksi-publications.bin"
-RSYSLOG_KSI_DEBUG="-s"
-RSYSLOG_KSI_LOG="ksi-sample.log"
-
-echo "[ksi-extract-verify-short.sh]: testing rsgtutil extract function - short options"
-. $srcdir/diag.sh init
-
-echo "running rsgtutil extract command"
-../tools/rsgtutil $RSYSLOG_KSI_DEBUG -x 4,8,21 -o $srcdir/ksi-export.log -P http://verify.guardtime.com/ksi-publications.bin $srcdir/testsuites/$RSYSLOG_KSI_LOG
-
-RSYSLOGD_EXIT=$?
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
-	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
-		echo "[ksi-extract-verify-short.sh]: rsgtutil extract failed with service unavailable (does not generate an error)"
-		exit 77;
-	else
-		echo "[ksi-extract-verify-short.sh]: rsgtutil extract failed with error: " $RSYSLOGD_EXIT
-		exit 1;
-	fi 
-fi
-
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then
-	echo "[.sh]: rsgtutil extract failed with error: " $RSYSLOGD_EXIT
-	exit 1;
-fi
-
-echo "running rsgtutil verify command"../tools/rsgtutil -t -P http://verify.guardtime.com/ksi-publications.bin $srcdir/ksi-export.log
-
-RSYSLOGD_EXIT=$?
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
-	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
-		echo "[ksi-extract-verify-short.sh]: rsgtutil verify failed with service unavailable (does not generate an error)"
-		exit 77;
-	else
-		echo "[ksi-extract-verify-short.sh]: rsgtutil verify failed with error: " $RSYSLOGD_EXIT
-		exit 1;
-	fi 
-fi
-
-# Cleanup temp files
-rm -f $srcdir/ksi-export.*
-
-echo SUCCESS: rsgtutil extract function - short options
\ No newline at end of file
diff --git a/tests/ksi-verify-cnstr-long.sh b/tests/ksi-verify-cnstr-long.sh
deleted file mode 100755
index f6a486100..000000000
--- a/tests/ksi-verify-cnstr-long.sh
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/bin/bash
-# rsgtutil utility test 
-#	Verifies sample logdata against public ksi verification repository. 
-#	Adds --cnstr parameter 
-#
-# This file is part of the rsyslog project, released under ASL 2.0
-#
-# Copyright 2016 Rainer Gerhards and Adiscon GmbH.
-RSYSLOG_KSI_BIN="http://verify.guardtime.com/ksi-publications.bin"
-RSYSLOG_KSI_DEBUG="--show-verified"
-RSYSLOG_KSI_LOG="ksi-sample.log"
-
-echo \[ksi-verify-cnstr-long.sh\]: testing rsgtutil verify function \(With cnstr param\) - long options
-. $srcdir/diag.sh init
-
-echo "running rsgtutil command with long options"
-../tools/rsgtutil $RSYSLOG_KSI_DEBUG --verify --publications-server $RSYSLOG_KSI_BIN --cnstr KSI_CERT_EMAIL=publications@guardtime.com $srcdir/testsuites/$RSYSLOG_KSI_LOG
-
-RSYSLOGD_EXIT=$?
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
-	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
-		echo "[ksi-verify-cnstr-long.sh]: rsgtutil verify failed with service unavailable (does not generate an error)"
-		exit 77;
-	else
-		echo "[ksi-verify-cnstr-long.sh]: rsgtutil verify failed with error: " $RSYSLOGD_EXIT
-		exit 1;
-	fi 
-fi
-
-# Cleanup temp files
-rm -f rsgtutil.out*.log 
-
-echo SUCCESS: rsgtutil verify function \(With cnstr param\) - long options
\ No newline at end of file
diff --git a/tests/ksi-verify-cnstr-short.sh b/tests/ksi-verify-cnstr-short.sh
deleted file mode 100755
index 83710673d..000000000
--- a/tests/ksi-verify-cnstr-short.sh
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/bin/bash
-# rsgtutil utility test 
-#	Verifies sample logdata against public ksi verification repository. 
-#	Adds -C parameter 
-#
-# This file is part of the rsyslog project, released under ASL 2.0
-#
-# Copyright 2016 Rainer Gerhards and Adiscon GmbH.
-RSYSLOG_KSI_BIN="http://verify.guardtime.com/ksi-publications.bin"
-RSYSLOG_KSI_DEBUG="-s"
-RSYSLOG_KSI_LOG="ksi-sample.log"
-
-echo \[ksi-verify-cnstr-short.sh\]: testing rsgtutil verify function \(With cnstr param\) - short options
-. $srcdir/diag.sh init
-
-echo "running rsgtutil command with short options"
-../tools/rsgtutil $RSYSLOG_KSI_DEBUG -t -P $RSYSLOG_KSI_BIN -C KSI_CERT_EMAIL=publications@guardtime.com $srcdir/testsuites/$RSYSLOG_KSI_LOG
-
-RSYSLOGD_EXIT=$?
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
-	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
-		echo "[ksi-verify-cnstr-short.sh]: rsgtutil verify failed with service unavailable (does not generate an error)"
-		exit 77;
-	else
-		echo "[ksi-verify-cnstr-short.sh]: rsgtutil verify failed with error: " $RSYSLOGD_EXIT
-		exit 1;
-	fi 
-fi
-
-# Cleanup temp files
-rm -f rsgtutil.out*.log 
-
-echo SUCCESS: rsgtutil verify function \(With cnstr param\) - short options
\ No newline at end of file
diff --git a/tests/ksi-verify-long-vg.sh b/tests/ksi-verify-long-vg.sh
deleted file mode 100755
index d88d35973..000000000
--- a/tests/ksi-verify-long-vg.sh
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/bin/bash
-# rsgtutil utility test 
-#	Verifies sample logdata against public ksi verification repository. 
-#	Test uses valgrind.
-#
-# This file is part of the rsyslog project, released under ASL 2.0
-#
-# Copyright 2016 Rainer Gerhards and Adiscon GmbH.
-RSYSLOG_KSI_BIN="http://verify.guardtime.com/ksi-publications.bin"
-RSYSLOG_KSI_DEBUG="--show-verified"
-RSYSLOG_KSI_LOG="ksi-sample.log"
-
-echo \[ksi-verify-long-vg.sh\]: testing rsgtutil verify with valgrind - long options
-. $srcdir/diag.sh init
-
-echo "running rsgtutil command with long options"
-valgrind $RS_TESTBENCH_VALGRIND_EXTRA_OPTS --log-fd=1 --error-exitcode=10 --malloc-fill=ff --free-fill=fe --leak-check=full ../tools/rsgtutil $RSYSLOG_KSI_DEBUG --verify --publications-server $RSYSLOG_KSI_BIN $srcdir/testsuites/$RSYSLOG_KSI_LOG
-
-RSYSLOGD_EXIT=$?
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
-	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
-		echo "[ksi-verify-long-vg.sh]: rsgtutil verify failed with service unavailable (does not generate an error)"
-		exit 77;
-	else
-		echo "[ksi-verify-long-vg.sh]: rsgtutil verify failed with error: " $RSYSLOGD_EXIT
-		exit 1;
-	fi 
-fi
-
-# Cleanup temp files
-rm -f rsgtutil.out*.log 
-
-echo SUCCESS: rsgtutil verify function with valgrind- long options
\ No newline at end of file
diff --git a/tests/ksi-verify-short-vg.sh b/tests/ksi-verify-short-vg.sh
deleted file mode 100755
index b7c89a32a..000000000
--- a/tests/ksi-verify-short-vg.sh
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/bin/bash
-# rsgtutil utility test 
-#	Verifies sample logdata against public ksi verification repository. 
-#	Test uses valgrind.
-#
-# This file is part of the rsyslog project, released under ASL 2.0
-#
-# Copyright 2016 Rainer Gerhards and Adiscon GmbH.
-RSYSLOG_KSI_BIN="http://verify.guardtime.com/ksi-publications.bin"
-RSYSLOG_KSI_DEBUG="-s"
-RSYSLOG_KSI_LOG="ksi-sample.log"
-
-echo \[ksi-verify-short-vg.sh\]: testing rsgtutil verify with valgrind - short options
-. $srcdir/diag.sh init
-
-echo "running rsgtutil command with short options"
-valgrind $RS_TESTBENCH_VALGRIND_EXTRA_OPTS --log-fd=1 --error-exitcode=10 --malloc-fill=ff --free-fill=fe --leak-check=full ../tools/rsgtutil $RSYSLOG_KSI_DEBUG -t -s -P $RSYSLOG_KSI_BIN $srcdir/testsuites/$RSYSLOG_KSI_LOG
-
-RSYSLOGD_EXIT=$?
-if [ "$RSYSLOGD_EXIT" -ne "0" ]; then	# EX_OK
-	if [ "$RSYSLOGD_EXIT" -eq "69" ]; then	# EX_UNAVAILABLE
-		echo "[ksi-verify-short-vg.sh]: rsgtutil verify failed with service unavailable (does not generate an error)"
-		exit 77;
-	else
-		echo "[ksi-verify-short-vg.sh]: rsgtutil verify failed with error: " $RSYSLOGD_EXIT
-		exit 1;
-	fi 
-fi
-
-# Cleanup temp files
-rm -f rsgtutil.out*.log 
-
-echo SUCCESS: rsgtutil verify function with valgrind - short options
\ No newline at end of file
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 4a477fd2d..f229e8839 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -96,25 +96,7 @@ man1_MANS += rsgtutil.1
 CLEANFILES += rsgtutil.1
 EXTRA_DIST+= rsgtutil.1
 endif
-if ENABLE_GT_KSI
-rsgtutil_CPPFLAGS += $(GT_KSI_CFLAGS) -DENABLEKSI
-rsgtutil_LDADD += ../runtime/librsksi.la $(GT_KSI_LIBS)
-endif
 else
-if ENABLE_GT_KSI
-bin_PROGRAMS += rsgtutil
-rsgtutil = rsgtutil.c
-rsgtutil_CPPFLAGS = $(RSRT_CFLAGS) $(GT_KSI_CFLAGS) -DENABLEKSI
-rsgtutil_LDADD = ../runtime/librsksi.la $(GT_KSI_LIBS)
-if ENABLE_GENERATE_MAN_PAGES
-RSTMANFILE = rsgtutil.rst
-rsgtutil.1: $(RSTMANFILE) 
-	$(AM_V_GEN) $(RST2MAN) $(RSTMANFILE) $@
-man1_MANS += rsgtutil.1
-CLEANFILES += rsgtutil.1
-EXTRA_DIST+= rsgtutil.1
-endif
-endif
 endif
 if ENABLE_LIBGCRYPT
 bin_PROGRAMS += rscryutil