generated from MrSphay/codex-agent-repository-kit
Clarify MrTrust target project integration for agents
All checks were successful
Build MrTrust / build (push) Successful in 2m31s
All checks were successful
Build MrTrust / build (push) Successful in 2m31s
This commit is contained in:
@@ -10,22 +10,30 @@ Goal:
|
||||
- The project must not disable Defender, SmartScreen, UAC, or Windows security policy.
|
||||
- All trust changes must be visible and require explicit user confirmation.
|
||||
|
||||
Agent contract:
|
||||
- You are modifying the target Windows project, not MrTrust itself.
|
||||
- Add MrTrust as a visible, optional trust-onboarding path for users.
|
||||
- Add or update the target project's release/signing pipeline so produced Windows artifacts are signed.
|
||||
- Do not mark the task complete after only copying documentation. The target project needs user-facing integration and signing support where applicable.
|
||||
|
||||
Implementation requirements:
|
||||
- Add a docs section that explains MrTrust and links to or bundles the MrTrust release ZIP.
|
||||
- Treat `MrTrust.exe` from the release ZIP as the user-facing integration point. Do not require users to copy or run MrTrust PowerShell source files.
|
||||
- Add a build or release signing step that signs Windows artifacts with the MrSphay code-signing certificate.
|
||||
- Do not commit any .pfx file, private key, certificate password, or signing secret.
|
||||
- If the project has an installer, add an optional "Open MrTrust" action that runs:
|
||||
powershell.exe -ExecutionPolicy Bypass -File .\MrTrust\MrTrust.ps1 gui
|
||||
.\MrTrust\MrTrust.exe
|
||||
- Prefer CurrentUser certificate installation by default.
|
||||
- Only offer LocalMachine installation when the user explicitly chooses an all-users install and the process is elevated.
|
||||
- Add an uninstall path or documentation that runs:
|
||||
powershell.exe -ExecutionPolicy Bypass -File .\MrTrust\MrTrust.ps1 uninstall
|
||||
- Add an uninstall path or documentation that opens MrTrust again and tells the user to choose "Remove trust".
|
||||
- Keep the UI wording clear: the user is trusting MrSphay signed software, not bypassing Windows security.
|
||||
- If this project produces an .exe, .msi, .dll, .ps1, .psm1, .psd1, or .cat release artifact, sign it with:
|
||||
powershell.exe -ExecutionPolicy Bypass -File .\MrTrust\MrTrust.ps1 sign -Path <artifact-path> -CertificateThumbprint A024A89200469F099EC4A172B4F96F6428AFD41B
|
||||
.\MrTrust\MrTrust.exe sign -Path <artifact-path> -CertificateThumbprint A024A89200469F099EC4A172B4F96F6428AFD41B
|
||||
- Treat the certificate thumbprint as public metadata, but never commit private signing material.
|
||||
- If the target project needs automated signing, call MrTrust's signing script from CI or a secure local release machine where the private certificate is already installed or supplied through secrets. Do not put private signing material into the target repository or user-facing release ZIP.
|
||||
|
||||
Verification:
|
||||
- Confirm the target project's user-facing release contains either a link to the MrTrust release ZIP or a bundled copy of `MrTrust.exe`.
|
||||
- Confirm unsigned builds still show as unsigned.
|
||||
- Confirm signed builds validate after MrTrust installation.
|
||||
- Confirm the MrTrust certificate can be removed again.
|
||||
|
||||
Reference in New Issue
Block a user