unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 4 Wiki Activity

feat(packaging): signed Inno Setup installer for the Windows host + CI
apple / swift (push) Successful in 54s
Details
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Has been cancelled
Details
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Has been cancelled
Details
windows-host / package (push) Failing after 6m18s
Details
android / android (push) Failing after 2m12s
Details
ci / web (push) Successful in 38s
Details
ci / rust (push) Failing after 1m40s
Details
ci / docs-site (push) Successful in 29s
Details
deb / build-publish (push) Successful in 2m35s
Details
decky / build-publish (push) Successful in 24s
Details
ci / bench (push) Successful in 4m32s
Details
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 14s
Details
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 3m35s
Details
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
Details
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 20s
Details
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 2m33s
Details
docker / deploy-docs (push) Successful in 22s
Details

Browse Source 
MSIX (the client's format) can't install the host's LocalSystem secure-desktop
service or the SudoVDA kernel driver, so the host ships as a signed Inno Setup
setup.exe that runs elevated and delegates to the existing idempotent
`punktfunk-host service install`.

- packaging/windows/punktfunk-host.iss: lay exe into Program Files, optional
  SudoVDA driver task, run service install/start; [Code] stops+waits the service
  before file copy on upgrade; uninstall runs service uninstall.
- pack-host-installer.ps1: cert (reuses MSIX_CERT_PFX_B64 / self-signed CN=unom),
  sign inner exe + setup.exe, fetch/stage SudoVDA, run ISCC, export public .cer.
- fetch-sudovda.ps1 / install-sudovda.ps1: pinned SudoVDA + nefcon download, cert
  import, gated device-node create (no phantom dup), pnputil install (warn-not-abort).
- nvenc/: synthesize nvencodeapi.lib via llvm-dlltool from a 2-export .def so
  --features nvenc links with no GPU/SDK at build time.
- .gitea/workflows/windows-host.yml: build (nvenc) -> clippy -> ISCC -> sign ->
  publish setup.exe + .cer to the generic registry pkg punktfunk-host-windows.
  Tag host-win-v* -> X.Y.Z (+ latest/ alias); main push -> rolling 0.2.<run>.
- setup-windows-runner.ps1: provision Inno Setup; docs: installer instructions.

SudoVDA/nefcon release URLs+SHA-256s in fetch-sudovda.ps1 are placeholders
(baseline v0.2.1) — fetch warns + prints the computed hash until pinned.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-06-18 23:05:20 +00:00
parent f4cff765ed
commit 16d3b7767e
11 changed files with 733 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packaging/windows/fetch-sudovda.ps1
+91
View File
@@ -0,0 +1,91 @@
<#
.SYNOPSIS
Download + verify the SudoVDA virtual-display driver and the nefcon device tool, and stage the
files the installer bundles into -OutDir.
.DESCRIPTION
The host uses SudoVDA (the SudoMaker Indirect Display Driver the Apollo Sunshine-fork ships) for
client-native-resolution virtual outputs (crates/punktfunk-host/src/vdisplay/sudovda.rs). The
driver isn't in this repo; CI fetches a PINNED release at pack time so the installer can carry it.
nefcon (nefarius/nefcon) provides `nefconc.exe`, used to create the root-enumerated device node
(pnputil cannot create a software/root device node from nothing).
Output (consumed by punktfunk-host.iss): -OutDir gets the driver payload (*.inf/*.cat/*.dll/*.sys
+ the signing *.cer) and nefconc.exe, flattened. install-sudovda.ps1 is copied in by the packer.
PINNING: the URLs + SHA-256s below are the single source of truth for what ships. If a Sha256 is
left empty, the script downloads, prints the computed hash, and continues with a loud warning —
fill it in to lock the release. Override any field with the params for a one-off build.
.EXAMPLE
pwsh -File fetch-sudovda.ps1 -OutDir C:\t\out\stage
#>
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)][string]$OutDir,
# --- PINNED SudoVDA release (https://github.com/SudoMaker/SudoVDA/releases) ---------------
# Baseline validated by the host backend: SudoVDA 0.2.1 (sudovda.rs header). Confirm the latest
# asset name/URL at impl time; fill Sha256 to lock it.
[string]$SudoVdaTag = 'v0.2.1',
[string]$SudoVdaUrl = 'https://github.com/SudoMaker/SudoVDA/releases/download/v0.2.1/SudoVDA-v0.2.1.zip',
[string]$SudoVdaSha256 = '',
# --- PINNED nefcon release (https://github.com/nefarius/nefcon/releases) ------------------
[string]$NefconUrl = 'https://github.com/nefarius/nefcon/releases/download/v1.0.2.0/nefconw.zip',
[string]$NefconSha256 = ''
)
$ErrorActionPreference = 'Stop'
$ProgressPreference = 'SilentlyContinue'
function Get-Verified([string]$Url, [string]$ExpectedSha256, [string]$Dest) {
Write-Host "==> downloading $Url"
Invoke-WebRequest -Uri $Url -OutFile $Dest -UseBasicParsing
$got = (Get-FileHash -Algorithm SHA256 -Path $Dest).Hash.ToLowerInvariant()
if ($ExpectedSha256) {
if ($got -ne $ExpectedSha256.ToLowerInvariant()) {
throw "SHA-256 mismatch for $Url`n expected $ExpectedSha256`n got $got"
}
Write-Host " sha256 ok ($got)"
}
else {
Write-Warning "no pinned SHA-256 for $Url — computed $got (PIN THIS in fetch-sudovda.ps1)"
}
}
# fresh staging dir
if (Test-Path $OutDir) { Remove-Item -Recurse -Force $OutDir }
New-Item -ItemType Directory -Force -Path $OutDir | Out-Null
$work = Join-Path $OutDir '_work'
New-Item -ItemType Directory -Force -Path $work | Out-Null
# --- SudoVDA driver payload -------------------------------------------------------------------
$sudoZip = Join-Path $work 'sudovda.zip'
Get-Verified -Url $SudoVdaUrl -ExpectedSha256 $SudoVdaSha256 -Dest $sudoZip
$sudoEx = Join-Path $work 'sudovda'
Expand-Archive -Path $sudoZip -DestinationPath $sudoEx -Force
# Flatten the driver files we need into -OutDir. SudoVDA is a user-mode IDD (a .dll registered by an
# .inf); pull the .inf/.cat/.dll plus a .sys if present and the signing .cer.
$driverFiles = Get-ChildItem -Path $sudoEx -Recurse -Include *.inf, *.cat, *.dll, *.sys, *.cer
if (-not ($driverFiles | Where-Object Extension -eq '.inf')) {
throw "no .inf found in the SudoVDA archive ($SudoVdaUrl) — wrong asset?"
}
$driverFiles | ForEach-Object { Copy-Item $_.FullName (Join-Path $OutDir $_.Name) -Force }
# --- nefcon (nefconc.exe) ---------------------------------------------------------------------
$nefZip = Join-Path $work 'nefcon.zip'
Get-Verified -Url $NefconUrl -ExpectedSha256 $NefconSha256 -Dest $nefZip
$nefEx = Join-Path $work 'nefcon'
Expand-Archive -Path $nefZip -DestinationPath $nefEx -Force
# Prefer the x64 console build.
$nefc = Get-ChildItem -Path $nefEx -Recurse -Filter 'nefconc.exe' |
Where-Object { $_.FullName -match '(?i)(x64|amd64)' } |
Select-Object -First 1
if (-not $nefc) { $nefc = Get-ChildItem -Path $nefEx -Recurse -Filter 'nefconc.exe' | Select-Object -First 1 }
if (-not $nefc) { throw "nefconc.exe not found in $NefconUrl" }
Copy-Item $nefc.FullName (Join-Path $OutDir 'nefconc.exe') -Force
Remove-Item -Recurse -Force $work
Write-Host "==> staged SudoVDA + nefcon in $OutDir :"
Get-ChildItem $OutDir -File | ForEach-Object { " $($_.Name)" }