diff --git a/packaging/windows/README.md b/packaging/windows/README.md index 69b48f8..70ebf70 100644 --- a/packaging/windows/README.md +++ b/packaging/windows/README.md @@ -44,13 +44,20 @@ Silent install: `punktfunk-host-setup-.exe /VERYSILENT` (omit the driver wi | File | Role | |------|------| | `punktfunk-host.iss` | Inno Setup script (the installer definition). | -| `pack-host-installer.ps1` | Orchestrator: cert + sign, fetch/stage SudoVDA, run ISCC, sign setup.exe, emit registry paths. | -| `fetch-sudovda.ps1` | Download + SHA-256-verify the **pinned** SudoVDA + nefcon releases; stage the driver payload. | +| `pack-host-installer.ps1` | Orchestrator: cert + sign, stage the driver bundle, run ISCC, sign setup.exe, emit registry paths. | +| `stage-sudovda.ps1` | Stage the **vendored** SudoVDA driver + fetch/verify the **pinned** nefcon release into the bundle. | | `install-sudovda.ps1` | Runs at install time (elevated): trust cert → gated device-node create → `pnputil` install. | +| `sudovda/` | **Vendored** prebuilt SudoVDA driver: `SudoVDA.inf` / `sudovda.cat` / `SudoVDA.dll` / `sudovda.cer`. | | `nvenc/nvenc.def`, `nvenc/gen-nvenc-importlib.ps1` | Synthesise `nvencodeapi.lib` for the `--features nvenc` link (llvm-dlltool / lib.exe). | -> **Pinning:** the SudoVDA / nefcon release URLs + SHA-256s in `fetch-sudovda.ps1` are the source of -> truth for what ships. Confirm the latest asset URLs and fill the SHA-256s to lock a release. +> **Vendored driver:** SudoVDA has no upstream release (its repo is a source-only VS solution; Apollo +> embeds the driver in its own installer), so the prebuilt **signed** driver is checked in under +> `sudovda/` (MIT/CC0; v1.10.9.289, signer `CN=sudovda@su.mk`, Class=Display, HWID +> `Root\SudoMaker\SudoVDA`). To refresh it, copy the four files out of a box's driver store +> (`C:\Windows\System32\DriverStore\FileRepository\sudovda.inf_amd64_*`) and re-derive `sudovda.cer` +> from the `.cat` signer (`(Get-AuthenticodeSignature sudovda.cat).SignerCertificate | Export-Certificate`). +> nefcon (the device-node tool) **is** fetched + SHA-256-verified from its pinned release in +> `stage-sudovda.ps1`. ## Build locally (Windows, MSVC + Windows SDK + Inno Setup) diff --git a/packaging/windows/fetch-sudovda.ps1 b/packaging/windows/fetch-sudovda.ps1 deleted file mode 100644 index d4f77ea..0000000 --- a/packaging/windows/fetch-sudovda.ps1 +++ /dev/null @@ -1,91 +0,0 @@ -<# -.SYNOPSIS - Download + verify the SudoVDA virtual-display driver and the nefcon device tool, and stage the - files the installer bundles into -OutDir. - -.DESCRIPTION - The host uses SudoVDA (the SudoMaker Indirect Display Driver the Apollo Sunshine-fork ships) for - client-native-resolution virtual outputs (crates/punktfunk-host/src/vdisplay/sudovda.rs). The - driver isn't in this repo; CI fetches a PINNED release at pack time so the installer can carry it. - nefcon (nefarius/nefcon) provides `nefconc.exe`, used to create the root-enumerated device node - (pnputil cannot create a software/root device node from nothing). - - Output (consumed by punktfunk-host.iss): -OutDir gets the driver payload (*.inf/*.cat/*.dll/*.sys - + the signing *.cer) and nefconc.exe, flattened. install-sudovda.ps1 is copied in by the packer. - - PINNING: the URLs + SHA-256s below are the single source of truth for what ships. If a Sha256 is - left empty, the script downloads, prints the computed hash, and continues with a loud warning — - fill it in to lock the release. Override any field with the params for a one-off build. - -.EXAMPLE - pwsh -File fetch-sudovda.ps1 -OutDir C:\t\out\stage -#> -[CmdletBinding()] -param( - [Parameter(Mandatory = $true)][string]$OutDir, - - # --- PINNED SudoVDA release (https://github.com/SudoMaker/SudoVDA/releases) --------------- - # Baseline validated by the host backend: SudoVDA 0.2.1 (sudovda.rs header). Confirm the latest - # asset name/URL at impl time; fill Sha256 to lock it. - [string]$SudoVdaTag = 'v0.2.1', - [string]$SudoVdaUrl = 'https://github.com/SudoMaker/SudoVDA/releases/download/v0.2.1/SudoVDA-v0.2.1.zip', - [string]$SudoVdaSha256 = '', - - # --- PINNED nefcon release (https://github.com/nefarius/nefcon/releases) ------------------ - [string]$NefconUrl = 'https://github.com/nefarius/nefcon/releases/download/v1.0.2.0/nefconw.zip', - [string]$NefconSha256 = '' -) -$ErrorActionPreference = 'Stop' -$ProgressPreference = 'SilentlyContinue' - -function Get-Verified([string]$Url, [string]$ExpectedSha256, [string]$Dest) { - Write-Host "==> downloading $Url" - Invoke-WebRequest -Uri $Url -OutFile $Dest -UseBasicParsing - $got = (Get-FileHash -Algorithm SHA256 -Path $Dest).Hash.ToLowerInvariant() - if ($ExpectedSha256) { - if ($got -ne $ExpectedSha256.ToLowerInvariant()) { - throw "SHA-256 mismatch for $Url`n expected $ExpectedSha256`n got $got" - } - Write-Host " sha256 ok ($got)" - } - else { - Write-Warning "no pinned SHA-256 for $Url — computed $got (PIN THIS in fetch-sudovda.ps1)" - } -} - -# fresh staging dir -if (Test-Path $OutDir) { Remove-Item -Recurse -Force $OutDir } -New-Item -ItemType Directory -Force -Path $OutDir | Out-Null -$work = Join-Path $OutDir '_work' -New-Item -ItemType Directory -Force -Path $work | Out-Null - -# --- SudoVDA driver payload ------------------------------------------------------------------- -$sudoZip = Join-Path $work 'sudovda.zip' -Get-Verified -Url $SudoVdaUrl -ExpectedSha256 $SudoVdaSha256 -Dest $sudoZip -$sudoEx = Join-Path $work 'sudovda' -Expand-Archive -Path $sudoZip -DestinationPath $sudoEx -Force - -# Flatten the driver files we need into -OutDir. SudoVDA is a user-mode IDD (a .dll registered by an -# .inf); pull the .inf/.cat/.dll plus a .sys if present and the signing .cer. -$driverFiles = Get-ChildItem -Path $sudoEx -Recurse -Include *.inf, *.cat, *.dll, *.sys, *.cer -if (-not ($driverFiles | Where-Object Extension -eq '.inf')) { - throw "no .inf found in the SudoVDA archive ($SudoVdaUrl) — wrong asset?" -} -$driverFiles | ForEach-Object { Copy-Item $_.FullName (Join-Path $OutDir $_.Name) -Force } - -# --- nefcon (nefconc.exe) --------------------------------------------------------------------- -$nefZip = Join-Path $work 'nefcon.zip' -Get-Verified -Url $NefconUrl -ExpectedSha256 $NefconSha256 -Dest $nefZip -$nefEx = Join-Path $work 'nefcon' -Expand-Archive -Path $nefZip -DestinationPath $nefEx -Force -# Prefer the x64 console build. -$nefc = Get-ChildItem -Path $nefEx -Recurse -Filter 'nefconc.exe' | - Where-Object { $_.FullName -match '(?i)(x64|amd64)' } | - Select-Object -First 1 -if (-not $nefc) { $nefc = Get-ChildItem -Path $nefEx -Recurse -Filter 'nefconc.exe' | Select-Object -First 1 } -if (-not $nefc) { throw "nefconc.exe not found in $NefconUrl" } -Copy-Item $nefc.FullName (Join-Path $OutDir 'nefconc.exe') -Force - -Remove-Item -Recurse -Force $work -Write-Host "==> staged SudoVDA + nefcon in $OutDir :" -Get-ChildItem $OutDir -File | ForEach-Object { " $($_.Name)" } diff --git a/packaging/windows/pack-host-installer.ps1 b/packaging/windows/pack-host-installer.ps1 index fc3c451..0422dfd 100644 --- a/packaging/windows/pack-host-installer.ps1 +++ b/packaging/windows/pack-host-installer.ps1 @@ -113,7 +113,7 @@ Sign-File $exe $defines = @("/DMyAppVersion=$Version", "/DBinDir=$TargetDir", "/DOutputDir=$OutDir") if (-not $NoDriver) { $stage = Join-Path $OutDir 'stage' - & (Join-Path $here 'fetch-sudovda.ps1') -OutDir $stage + & (Join-Path $here 'stage-sudovda.ps1') -OutDir $stage Copy-Item (Join-Path $here 'install-sudovda.ps1') (Join-Path $stage 'install-sudovda.ps1') -Force $defines += "/DStageDir=$stage" } diff --git a/packaging/windows/stage-sudovda.ps1 b/packaging/windows/stage-sudovda.ps1 new file mode 100644 index 0000000..c4013cd --- /dev/null +++ b/packaging/windows/stage-sudovda.ps1 @@ -0,0 +1,65 @@ +<# +.SYNOPSIS + Stage the driver bundle the installer ships into -OutDir: the VENDORED SudoVDA driver + the + fetched nefcon device tool. + +.DESCRIPTION + SudoVDA has no upstream release (its repo is a source-only VS solution; Apollo embeds the driver in + its single installer), so the prebuilt, signed driver is VENDORED in this repo under + packaging/windows/sudovda/ (MIT/CC0; SudoVDA v1.10.9.289, signer CN=sudovda@su.mk, Class=Display, + HWID Root\SudoMaker\SudoVDA). nefcon DOES publish a pinned release, so we fetch + SHA-256-verify it + (it provides nefconc.exe, used to create the root-enumerated device node — pnputil can't). + + Output (consumed by punktfunk-host.iss): -OutDir gets SudoVDA.inf/.cat/.dll + sudovda.cer and + nefconc.exe (x64). pack-host-installer.ps1 also drops install-sudovda.ps1 in. + +.EXAMPLE + pwsh -File stage-sudovda.ps1 -OutDir C:\t\out\stage +#> +[CmdletBinding()] +param( + [Parameter(Mandatory = $true)][string]$OutDir, + [string]$VendorDir = (Join-Path $PSScriptRoot 'sudovda'), + # PINNED nefcon release (https://github.com/nefarius/nefcon/releases). MIT-licensed. + [string]$NefconUrl = 'https://github.com/nefarius/nefcon/releases/download/v1.17.40/nefcon_v1.17.40.zip', + [string]$NefconSha256 = '812bae7ed7dfb7d6d2284bc7de2f8ccebc92ed2a0b1ae893c53b337096e50c1a' +) +$ErrorActionPreference = 'Stop' +$ProgressPreference = 'SilentlyContinue' +$PSNativeCommandUseErrorActionPreference = $false + +if (Test-Path $OutDir) { Remove-Item -Recurse -Force $OutDir } +New-Item -ItemType Directory -Force -Path $OutDir | Out-Null + +# --- vendored SudoVDA driver ------------------------------------------------------------------ +$inf = Get-ChildItem -Path $VendorDir -Filter *.inf -ErrorAction SilentlyContinue | Select-Object -First 1 +if (-not $inf) { throw "no vendored SudoVDA .inf under $VendorDir — see packaging/windows/README.md" } +Copy-Item (Join-Path $VendorDir '*') $OutDir -Force +Write-Host "==> vendored SudoVDA staged from $VendorDir" + +# --- nefcon (fetched + verified) -------------------------------------------------------------- +$work = Join-Path ([IO.Path]::GetTempPath()) ('nefcon-' + [IO.Path]::GetRandomFileName()) +New-Item -ItemType Directory -Force -Path $work | Out-Null +try { + $zip = Join-Path $work 'nefcon.zip' + Write-Host "==> downloading $NefconUrl" + Invoke-WebRequest -Uri $NefconUrl -OutFile $zip -UseBasicParsing + $got = (Get-FileHash $zip -Algorithm SHA256).Hash.ToLowerInvariant() + if ($NefconSha256) { + if ($got -ne $NefconSha256.ToLowerInvariant()) { + throw "nefcon SHA-256 mismatch`n expected $NefconSha256`n got $got" + } + Write-Host " sha256 ok ($got)" + } + else { Write-Warning "no pinned nefcon SHA-256 — computed $got (PIN THIS in stage-sudovda.ps1)" } + Expand-Archive -Path $zip -DestinationPath $work -Force + $nefc = Get-ChildItem -Path $work -Recurse -Filter 'nefconc.exe' | + Where-Object { $_.FullName -match '(?i)\\x64\\' } | Select-Object -First 1 + if (-not $nefc) { $nefc = Get-ChildItem -Path $work -Recurse -Filter 'nefconc.exe' | Select-Object -First 1 } + if (-not $nefc) { throw "nefconc.exe not found in $NefconUrl" } + Copy-Item $nefc.FullName (Join-Path $OutDir 'nefconc.exe') -Force +} +finally { Remove-Item -Recurse -Force $work -ErrorAction SilentlyContinue } + +Write-Host "==> staged driver bundle in $OutDir :" +Get-ChildItem $OutDir -File | ForEach-Object { " $($_.Name)" } diff --git a/packaging/windows/sudovda/SudoVDA.dll b/packaging/windows/sudovda/SudoVDA.dll new file mode 100644 index 0000000..dfdff70 Binary files /dev/null and b/packaging/windows/sudovda/SudoVDA.dll differ diff --git a/packaging/windows/sudovda/SudoVDA.inf b/packaging/windows/sudovda/SudoVDA.inf new file mode 100644 index 0000000..f1958d5 Binary files /dev/null and b/packaging/windows/sudovda/SudoVDA.inf differ diff --git a/packaging/windows/sudovda/sudovda.cat b/packaging/windows/sudovda/sudovda.cat new file mode 100644 index 0000000..beb350b Binary files /dev/null and b/packaging/windows/sudovda/sudovda.cat differ diff --git a/packaging/windows/sudovda/sudovda.cer b/packaging/windows/sudovda/sudovda.cer new file mode 100644 index 0000000..6cdc2ae Binary files /dev/null and b/packaging/windows/sudovda/sudovda.cer differ