Deprecate Install-Datadog.ps1 and relax CN signature check#49570
Open
Deprecate Install-Datadog.ps1 and relax CN signature check#49570
Conversation
Print a deprecation warning pointing users to datadog-installer.exe and the in-app install guide. Loosen the signature subject check to match any 'Datadog' CN, since the CN string varies by signing authority.
clarkb7
added
qa/done
clarkb7
changed the title
github-actions
bot
added
the
short review
Contributor
Files inventory check summaryFile checks results against ancestor 3a85c628: Results for datadog-agent_7.80.0~devel.git.55.db0b75f.pipeline.108578513-1_amd64.deb:No change detected |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7339d2d6b8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
lrbhatia
approved these changes
Apr 20, 2026
clarkb7
added
backport/7.78.x
|
in-script notice LGTM, thanks for adding |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Install-Datadog.ps1runs, pointing users todatadog-installer.exeand the in-app installation guide.DatadogCN rather than the exact literalCN="Datadog, Inc". Our next cert may haveCN="Datadog, Inc."(note the trailing period), which would fail the old check.$SCRIPT_VERSIONto1.2.2and adds a reno note.Motivation
Install-Datadog.ps1was used during the Fleet Automation preview in 2024 but was never made generally available. Some customers are still using it and would be impacted by the strictCN="Datadog, Inc"check the next time we rotate our code signing key — our next cert may haveCN="Datadog, Inc."(with a trailing period), which the old match would reject. This PR officially deprecates the script, relaxes the CN check so existing users keep working across key rotations, and adds an in-script notice pointing customers todatadog-installer.exeand the in-app installation guide.Jira: WINA-2595
Describe how you validated your changes
Manual run of the script on Windows: verified the deprecation warning prints and the signature check still passes against a signed installer.
e2e tests run the script and check the certs
See also #incident-52121, follow up will have cert with new CN, the pipeline there should pass now.