DataDog · cedricvanrompay-datadog · Jun 9, 2026 · Jun 10, 2026 · Jun 10, 2026 · chatgpt-codex-connector
@@ -17,5 +17,17 @@ powershell_script_signing:
       - $WINDOWS_POWERSHELL_DIR
   script:
     - mkdir $WINDOWS_POWERSHELL_DIR
-    - docker run --rm -v "$(Get-Location):c:\mnt" -e AWS_NETWORKING=true -e CI -e IS_AWS_CONTAINER=true -e WINDOWS_SIGNING_CERT -e WINDOWS_SIGNING_CONFIG ${WINBUILDIMAGE} powershell -C "if (`$Env:WINDOWS_SIGNING_CERT -and `$Env:WINDOWS_SIGNING_CONFIG) { dd-wcs sign --cert `$Env:WINDOWS_SIGNING_CERT --config `$Env:WINDOWS_SIGNING_CONFIG '\mnt\tools\windows\DatadogAgentInstallScript\Install-Datadog.ps1' } else { dd-wcs sign '\mnt\tools\windows\DatadogAgentInstallScript\Install-Datadog.ps1' }"
+    # documentation: https://github.com/DataDog/windows-code-signer
+    - docker run --rm
+      -v "$(Get-Location):c:\mnt"
+      -v "${CI_PROJECT_DIR}\.aws\credentials-by-job-id:C:\aws-creds"
+      -e "AWS_SHARED_CREDENTIALS_FILE=C:\aws-creds\${CI_JOB_ID}"
+      -e AWS_NETWORKING=true
+      -e CI
+      -e IS_AWS_CONTAINER=true
+      -e CI_IDENTITIES_GITLAB_ID_TOKEN
+      -e CI_JOB_NAME_SLUG
+      ${WINBUILDIMAGE}
+      powershell -C "C:\devtools\windows-code-signer.exe
+      sign \mnt\tools\windows\DatadogAgentInstallScript\Install-Datadog.ps1"
     - copy .\tools\windows\DatadogAgentInstallScript\Install-Datadog.ps1 $WINDOWS_POWERSHELL_DIR\Install-Datadog.ps1
@@ -132,11 +132,11 @@ def ddwcssign(file)
       begin
         attempts += 1
         cmd = Array.new.tap do |arr|
-          arr << "dd-wcs"
+          arr << "C:/devtools/windows-code-signer.exe"
           arr << "sign"
           if ENV['WINDOWS_SIGNING_CERT'] && ENV['WINDOWS_SIGNING_CONFIG']
             arr << "--cert" << ENV['WINDOWS_SIGNING_CERT']
-            arr << "--config" << ENV['WINDOWS_SIGNING_CONFIG']
+            arr << "--key-info" << ENV['WINDOWS_SIGNING_CONFIG']
           end
           arr << "\"#{file}\""
         end.join(" ")
@@ -145,7 +145,7 @@ def ddwcssign(file)
         if status.exitstatus != 0
           log.warn(self.class.name) do
             <<-EOH.strip
-              Failed to sign with dd-wcs (Attempt #{attempts} of #{max_retries})
+              Failed to sign with windows-code-signer.exe (Attempt #{attempts} of #{max_retries})
 
               STDOUT
               ------
@@ -156,9 +156,9 @@ def ddwcssign(file)
               #{status.stderr}
             EOH
           end
-          raise "Failed to sign with dd-wcs"
+          raise "Failed to sign with windows-code-signer.exe"
         else
-          log.info(self.class.name) { "Successfully signed #{file} after #{attempts} attempt(s)" }
+          log.info(self.class.name) { "Successfully signed #{file} using windows-code-signer.exe after #{attempts} attempt(s)" }
         end
       rescue => e
         # Retry logic: raise error after 3 attempts
@@ -167,7 +167,7 @@ def ddwcssign(file)
           sleep(delay)
           retry
         end
-        raise "Failed to sign with dd-wcs: #{e.message}"
+        raise "Failed to sign with windows-code-signer.exe: #{e.message}"
       end
     end
 

@@ -69,8 +69,8 @@
         'PROGRAMFILES(X86)': 'Standard Windows installation location',
         'PROGRAMFILESW6432': 'Standard Windows installation location',
         'SIGN_WINDOWS_DD_WCS': 'Determines whether to sign Windows artifacts',
-        'WINDOWS_SIGNING_CERT': 'S3 URL of the signing certificate to use with dd-wcs',
-        'WINDOWS_SIGNING_CONFIG': 'S3 URL of the signing config to use with dd-wcs',
+        'WINDOWS_SIGNING_CERT': 'S3 URL of the signing certificate to use with windows-code-signer.exe',
+        'WINDOWS_SIGNING_CONFIG': 'S3 URL of the signing config to use with windows-code-signer.exe',
         'SSL_CERT_FILE': 'Used to point Ruby at the certificate for OpenSSL',
         'SYSTEMDRIVE': "goes with SYSTEMROOT",
         'SYSTEMROOT': 'Solves git: fatal: getaddrinfo() thread failed to start',

@@ -111,8 +111,9 @@ def sign_file(ctx, path, force=False):
     if dd_wcs_enabled or force:
         cert = os.environ.get('WINDOWS_SIGNING_CERT')
         config = os.environ.get('WINDOWS_SIGNING_CONFIG')
-        cert_args = f'--cert {cert} --config {config} ' if cert and config else ''
-        return ctx.run(f'dd-wcs sign {cert_args}"{path}"')
+        cert_args = f'--cert {cert} --key-info {config} ' if cert and config else ''
+        print("signing with windows-code-signer.exe")
+        return ctx.run(f'C:/devtools/windows-code-signer.exe sign {cert_args} "{path}"')
 
 
 def _ensure_wix_tools(ctx):