Files
riojoy/driver/sign.ps1
T
CydandClaude Opus 4.8 5dddbd2694 Phase 1 (3b): driver signing/install scripts + C# HID feeder sink
Make the virtual gamepad deployable on owned cabinets and wire the real
user-mode feeder:

- driver/sign.ps1 (non-admin): create a self-signed code-signing cert, build the
  catalog with inf2cat, and SHA-256-sign RioGamepad.sys + .cat (embed-sign the sys
  before cataloguing so the .cat matches). Exports RIOJoyTest.cer. Verified
  end-to-end against the EWDK (signability + catalog clean; both files signed).
- driver/install.ps1 (admin, two-phase): trust the cert (LocalMachine Root +
  TrustedPublisher), stage the package (pnputil /add-driver), enable test signing;
  after reboot, -CreateDevice runs devgen to create root\RioGamepad so PnP installs
  it. uninstall.ps1 reverses it.
- RioJoy.Core.Output.HidFeederJoystickSink: opens the driver by
  GUID_DEVINTERFACE_RIOGAMEPAD (SetupAPI), maintains a RioHidReport, and submits it
  via DeviceIoControl(IOCTL_RIO_SUBMIT_REPORT) on each axis/button/hat change.
  RioCoordinator now uses it when the driver is present and falls back to the no-op
  sink otherwise (status shows "[no joystick driver]").
- gitignore the signing outputs (driver/package/, *.cat); driver/README.md gets the
  full build → sign → install → joy.cpl workflow.

Remaining = the actual elevated install + reboot + joy.cpl verification on the
cabinet (admin steps), and on-hardware confirmation of the feeder.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-26 21:17:04 -05:00

76 lines
3.3 KiB
PowerShell

<#
.SYNOPSIS
Test-sign the RioGamepad driver package. No admin required.
.DESCRIPTION
Creates (once) a self-signed code-signing certificate in the current user's
store, stages the built RioGamepad.sys + RioGamepad.inf into driver\package\,
generates the security catalog with Inf2Cat, and signs both the .sys and the
.cat with SHA-256. Exports the public cert (RIOJoyTest.cer) for the install
step to trust.
Order matters: the .sys is embed-signed BEFORE the catalog is generated, so the
catalog hashes the signed binary; then the catalog itself is signed.
.PARAMETER Ewdk
Drive or root where the EWDK is mounted (default: E:).
#>
param([string]$Ewdk = "E:")
$ErrorActionPreference = "Stop"
$scriptDir = $PSScriptRoot
$projectDir = Join-Path $scriptDir "RioGamepad"
$buildOut = Join-Path $projectDir "x64\Release"
$pkg = Join-Path $scriptDir "package"
$kitsBin = Join-Path $Ewdk "Program Files\Windows Kits\10\bin\10.0.28000.0"
$signtool = Join-Path $kitsBin "x64\signtool.exe"
$inf2cat = Join-Path $kitsBin "x86\Inf2Cat.exe"
$certName = "RIOJoy Test Cert"
$cerPath = Join-Path $scriptDir "RIOJoyTest.cer"
foreach ($tool in @($signtool, $inf2cat)) {
if (-not (Test-Path $tool)) { throw "Tool not found: $tool (is the EWDK mounted at $Ewdk?)" }
}
if (-not (Test-Path (Join-Path $buildOut "RioGamepad.sys"))) {
throw "RioGamepad.sys not found. Build first: driver\RioGamepad\build.cmd $Ewdk"
}
# 1. Self-signed code-signing certificate (idempotent).
$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Subject -eq "CN=$certName" } | Select-Object -First 1
if (-not $cert) {
Write-Host "Creating self-signed code-signing certificate '$certName'..."
$cert = New-SelfSignedCertificate -Type CodeSigningCert -Subject "CN=$certName" `
-CertStoreLocation Cert:\CurrentUser\My -KeyExportPolicy Exportable `
-NotAfter (Get-Date).AddYears(5)
}
Export-Certificate -Cert $cert -FilePath $cerPath -Force | Out-Null
Write-Host "Certificate thumbprint: $($cert.Thumbprint)"
Write-Host "Public cert exported to: $cerPath"
# 2. Stage the package.
if (Test-Path $pkg) { Remove-Item $pkg -Recurse -Force }
New-Item -ItemType Directory -Path $pkg | Out-Null
Copy-Item (Join-Path $buildOut "RioGamepad.sys") $pkg
Copy-Item (Join-Path $buildOut "RioGamepad.inf") $pkg
# 3. Embed-sign the .sys.
& $signtool sign /fd SHA256 /s My /n $certName (Join-Path $pkg "RioGamepad.sys")
if ($LASTEXITCODE -ne 0) { throw "signtool failed on RioGamepad.sys ($LASTEXITCODE)" }
# 4. Generate the catalog (Win10 x64).
& $inf2cat /driver:$pkg /os:10_X64 /verbose
if ($LASTEXITCODE -ne 0) { throw "inf2cat failed ($LASTEXITCODE)" }
# 5. Sign the catalog.
& $signtool sign /fd SHA256 /s My /n $certName (Join-Path $pkg "RioGamepad.cat")
if ($LASTEXITCODE -ne 0) { throw "signtool failed on RioGamepad.cat ($LASTEXITCODE)" }
Write-Host ""
Write-Host "Signed package ready in: $pkg" -ForegroundColor Green
Write-Host "Next: run driver\install.ps1 from an elevated shell to trust the cert," -ForegroundColor Yellow
Write-Host "enable test signing, and install the device." -ForegroundColor Yellow
Write-Host ""
Write-Host "(Note: 'signtool verify /pa' will fail until the cert is trusted by install.ps1 —" -ForegroundColor DarkGray
Write-Host " that is expected for a self-signed test driver.)" -ForegroundColor DarkGray