Merge pull request 'fix(build): driver inject non-fatal + ForceUnsigned (NetKVM rejected, bricked build)' (#27) from fix/driver-inject-resilient into main

.gitattributes

@@ -0,0 +1,11 @@
+# Keep binary assets verbatim (no EOL/charset normalization on checkout).
+*.sys binary
+*.cat binary
+*.exe binary
+*.dll binary
+*.iso binary
+*.png binary
+*.jpg binary
+*.ico binary
+*.cab binary
+windows/drivers/** binary

windows/installer/build.ps1

@@ -254,7 +254,13 @@ function Invoke-ServiceWim {
         # Drivers (GPD Pocket 4 pack) -- skipped silently if dir empty (e.g. VM test).
         $drv = Join-Path $WindowsDir 'drivers'
         if ((Get-ChildItem $drv -Recurse -Filter *.inf -EA SilentlyContinue)) {
-            Write-Host '   adding drivers'; Add-WindowsDriver -Path $mount -Driver $drv -Recurse | Out-Null
+            # -ForceUnsigned: skip the offline-inject signature check (the virtio NetKVM
+            # driver is WHQL-signed and loads fine at boot; the offline check can still
+            # reject it on the build host). Non-fatal: a driver issue must not brick the
+            # whole image build -- warn and continue without it.
+            Write-Host '   adding drivers'
+            try { Add-WindowsDriver -Path $mount -Driver $drv -Recurse -ForceUnsigned -ErrorAction Stop | Out-Null }
+            catch { Write-Warning "   driver inject failed (continuing without it): $($_.Exception.Message)" }
         } else { Write-Host '   no .inf drivers staged (ok for VM test)' }
 
         # Kiosk features (Shell Launcher v2 + Keyboard Filter) — IoT Enterprise LTSC.