0.1.3

Added Ubuntu-runner signing support through osslsigncode and PFX secrets.

docs/agent-target-integration.md

@@ -43,6 +43,8 @@ Apply every item that fits the target project:
    - Use the public thumbprint from `mrtrust.integration.json`.
    - Only run signing where private signing material is securely available.
    - Do not commit `.pfx`, private keys, passwords, tokens, or signing secrets.
+   - On the available `ubuntu-latest` Gitea runners, use `osslsigncode` with PFX secrets for `.exe`, `.dll`, `.msi`, and `.cat`.
+   - PowerShell script signing (`.ps1`, `.psm1`, `.psd1`) still requires a Windows signing environment. If no Windows runner exists, document that limitation instead of blocking PE/MSI signing.
 
 4. Add verification.
    - Verify the target project still builds.
@@ -76,6 +78,12 @@ Check a signature:
 Get-AuthenticodeSignature .\dist\App.exe | Format-List Status,SignerCertificate,StatusMessage
 ```
 
+Sign a release directory on an Ubuntu Gitea runner:
+
+```bash
+bash ./MrTrust/scripts/Sign-MrTrustProjectLinux.sh ./dist
+```
+
 ## Installer Patterns
 
 ### Inno Setup
@@ -118,6 +126,45 @@ Document that users should run it once before launching signed MrSphay apps if W
 
 ## CI Signing Patterns
 
+### Gitea Actions On Ubuntu Runner
+
+Use this when only `ubuntu-latest`, `ubuntu-24.04`, or `ubuntu-22.04` runners are available.
+
+Required Gitea secrets:
+
+```text
+MRTRUST_CODESIGN_PFX_BASE64
+MRTRUST_CODESIGN_PFX_PASSWORD
+```
+
+Create `MRTRUST_CODESIGN_PFX_BASE64` locally from the private `.pfx`:
+
+```powershell
+[Convert]::ToBase64String([IO.File]::ReadAllBytes(".\private\MrSphay-CodeSigning.pfx")) | Set-Clipboard
+```
+
+Then paste the clipboard value into the Gitea secret. Do not commit the `.pfx` or the base64 value.
+
+Ubuntu workflow step:
+
+```yaml
+- name: Install signing tool
+  shell: bash
+  run: |
+    sudo apt-get update
+    sudo apt-get install -y osslsigncode
+
+- name: Sign Windows artifacts
+  shell: bash
+  env:
+    MRTRUST_CODESIGN_PFX_BASE64: ${{ secrets.MRTRUST_CODESIGN_PFX_BASE64 }}
+    MRTRUST_CODESIGN_PFX_PASSWORD: ${{ secrets.MRTRUST_CODESIGN_PFX_PASSWORD }}
+  run: |
+    bash ./MrTrust/scripts/Sign-MrTrustProjectLinux.sh ./dist
+```
+
+This signs `.exe`, `.dll`, `.msi`, and `.cat` artifacts. It does not sign PowerShell script files.
+
 ### Gitea Actions On Windows Runner
 
 ```yaml

docs/integration-prompt.md

@@ -32,10 +32,12 @@ Implementation requirements:
 - Only offer LocalMachine installation when the user explicitly chooses an all-users install and the process is elevated.
 - Add an uninstall path or documentation that opens MrTrust again and tells the user to choose "Remove trust".
 - Keep the UI wording clear: the user is trusting MrSphay signed software, not bypassing Windows security.
-- If this project produces an .exe, .msi, .dll, .ps1, .psm1, .psd1, or .cat release artifact, sign it with:
-  .\MrTrust\MrTrust.exe sign -Path <artifact-path> -CertificateThumbprint A024A89200469F099EC4A172B4F96F6428AFD41B
+- If this project produces an .exe, .msi, .dll, or .cat release artifact on an Ubuntu Gitea runner, sign it with:
+  bash ./MrTrust/scripts/Sign-MrTrustProjectLinux.sh <artifact-path>
 - Treat the certificate thumbprint as public metadata, but never commit private signing material.
-- If the target project needs automated signing, call MrTrust's signing script from CI or a secure local release machine where the private certificate is already installed or supplied through secrets. Do not put private signing material into the target repository or user-facing release ZIP.
+- Configure Gitea secrets `MRTRUST_CODESIGN_PFX_BASE64` and `MRTRUST_CODESIGN_PFX_PASSWORD` for Ubuntu runner signing.
+- If the target project needs .ps1, .psm1, or .psd1 signing, use a Windows signing environment or document that script signing is not available on the current Ubuntu-only runners.
+- Do not put private signing material into the target repository or user-facing release ZIP.
 
 Verification:
 - Confirm the target project's user-facing release contains either a link to the MrTrust release ZIP or a bundled copy of `MrTrust.exe`.