Make README a retro trust advertisement

README.md

@@ -1,12 +1,22 @@
 # MrTrust
 
-MrTrust is the trust setup tool for MrSphay Windows software.
+## Brought To You By The Fine People Of MrSphay
 
-Normal users run `MrTrust.exe` once, review the shown certificate details, and explicitly approve installing the public MrSphay trust certificates. After that, Windows can validate MrSphay apps that are signed with the matching code-signing certificate.
+Good morning, citizen.
 
-MrTrust does not disable Microsoft Defender, SmartScreen, UAC, firewall rules, or company security policies.
+Has Windows ever looked at your freshly downloaded MrSphay program and said:
 
-## Download
+```text
+Unknown publisher? Sounds suspicious, pal.
+```
+
+Then step right up to **MrTrust**, the cheerful little trust-onboarding utility that helps your PC recognize signed MrSphay software without poking holes in Windows security.
+
+One click. One confirmation. A brighter tomorrow for properly signed applications.
+
+MrTrust installs public certificates only after you say so. It does not disable Microsoft Defender, SmartScreen, UAC, firewall rules, company policies, common sense, or the big red security lever nobody should touch.
+
+## Download Your Complimentary Trust Appliance
 
 Latest release page:
 
@@ -14,21 +24,27 @@ Latest release page:
 https://git.wilkensxl.de/MrSphay/MrTrust/releases
 ```
 
-Download the newest `MrTrust-<version>.zip`, extract it, and start:
+Download the newest:
+
+```text
+MrTrust-<version>.zip
+```
+
+Extract it, then run:
 
 ```text
 MrTrust.exe
 ```
 
-The executable is standalone for normal users. It embeds the public certificates and the scripts it needs at runtime.
+That is the normal user version. It is standalone and carries the public MrSphay certificates it needs.
 
-## For Users
+## Operating Your Trust-O-Matic 3000
 
-Use the GUI buttons:
+Inside the friendly GUI:
 
-- `Install trust` installs MrSphay public trust certificates.
+- `Install trust` tells Windows to trust MrSphay public signing certificates.
-- `Remove trust` removes them again.
+- `Remove trust` politely takes that trust back out again.
-- `Refresh` checks the current trust state.
+- `Refresh` checks whether your PC is currently feeling cooperative.
 
 Default installation scope:
 
@@ -37,31 +53,41 @@ Root certificate -> Cert:\CurrentUser\Root
 Code-signing certificate -> Cert:\CurrentUser\TrustedPublisher
 ```
 
-This means trust is installed only for the current Windows user.
+That means the trust applies only to the current Windows user.
 
-For all users on the PC, run `MrTrust.exe` as Administrator and choose the all-users option in the GUI.
+For all users on the PC, run `MrTrust.exe` as Administrator and choose the all-users option. Please operate administrator privileges responsibly. The future depends on it.
 
-## What MrTrust Does
+## How The Magic Works
 
-MrTrust installs public certificates that let Windows validate software signed by MrSphay.
+There is no magic. That is how you know it is working.
 
-The expected flow is:
+The approved flow:
 
 1. A MrSphay app is signed during its release build.
-2. The user runs `MrTrust.exe` once and confirms the trust installation.
+2. You run `MrTrust.exe`.
-3. Windows can validate the signature chain for signed MrSphay apps on that PC.
+3. You review the certificate details.
+4. You confirm the trust installation.
+5. Windows can validate signed MrSphay apps on that PC.
 
-## What MrTrust Does Not Do
+If the app is not signed, MrTrust cannot help it. Even the finest paperwork cannot identify a person who never showed up.
 
-- It does not make unsigned programs trusted.
+## Safety Notice From The Department Of Not Breaking Windows
-- It does not bypass Defender or SmartScreen.
+
-- It does not remove UAC prompts from apps that need administrator rights.
+MrTrust does not:
-- It does not silently install certificates.
+
-- It does not install private signing keys on user machines.
+- make unsigned programs trusted
+- bypass Defender
+- bypass SmartScreen
+- remove UAC prompts
+- silently install certificates
+- install private signing keys on user machines
+- make sketchy software less sketchy
+
+Windows may still scan, block, warn, quarantine, or ask questions. MrTrust only handles normal certificate trust.
 
 ## Public Certificate Values
 
-These values are public and can be used by agents or documentation:
+These values are public and safe to use in documentation, agent prompts, and integration metadata:
 
 ```text
 Publisher:
@@ -74,14 +100,14 @@ Code-signing certificate thumbprint:
 A024A89200469F099EC4A172B4F96F6428AFD41B
 ```
 
-The same values are stored in:
+They are also stored here:
 
 ```text
 assets/certificates/thumbprints.txt
 mrtrust.integration.json
 ```
 
-## For Developers
+## For The Workshop Crew
 
 Local maintainer commands:
 
@@ -111,11 +137,19 @@ Sign an artifact locally on Windows:
   -CertificateThumbprint A024A89200469F099EC4A172B4F96F6428AFD41B
 ```
 
-Private signing material belongs only in `private/`, Bitwarden, or Gitea secrets. Never commit `.pfx` files, private keys, passwords, or Base64-encoded signing material.
+Private signing material belongs only in:
 
-## Gitea Secrets For Target Projects
+```text
+private/
+Bitwarden
+Gitea repository secrets
+```
 
-For another project to sign Windows release artifacts on an Ubuntu Gitea runner, add these repository secrets to that target project:
+Never commit `.pfx` files, private keys, passwords, or Base64-encoded signing material. That is not trust. That is handing out the vault keys at the snack counter.
+
+## Gitea Secrets For Other Projects
+
+For another project to sign Windows release artifacts on an Ubuntu Gitea runner, add these secrets to that target repository:
 
 ```text
 MRTRUST_CODESIGN_PFX_BASE64
@@ -128,9 +162,9 @@ Optional timestamp override:
 MRTRUST_TIMESTAMP_URL
 ```
 
-The values for the first two secrets should be kept in Bitwarden. They are private signing credentials.
+The first two values are private signing credentials. Keep them in Bitwarden and Gitea Secrets only.
 
-The helper script for Ubuntu runners is:
+Ubuntu helper script:
 
 ```text
 scripts/Sign-MrTrustProjectLinux.sh
@@ -147,15 +181,15 @@ It signs supported Windows artifacts with `osslsigncode`:
 
 PowerShell scripts should be signed on Windows, not Ubuntu.
 
-## Using MrTrust In Another Project
+## Installing MrTrust Into Another Project
 
-Give another agent this repository URL and the target Windows project:
+Give your coding agent this repository:
 
 ```text
 https://git.wilkensxl.de/MrSphay/MrTrust
 ```
 
-Tell the agent to read these files:
+Tell it to read:
 
 ```text
 mrtrust.integration.json
@@ -163,35 +197,44 @@ docs/agent-target-integration.md
 docs/integration-prompt.md
 ```
 
-The agent should modify the target project so that:
+The target project should end up with:
 
-- Windows release artifacts are signed.
+- signed Windows release artifacts
-- The project links to or bundles `MrTrust.exe`.
+- a visible optional MrTrust setup path
-- Users have a visible optional trust setup path.
+- a link to or bundled copy of `MrTrust.exe`
-- Trust installation remains explicit and reversible.
+- documentation for installing and removing trust
-- No private signing material is committed or shipped.
+- no committed private signing material
 
-Both sides are required:
+Remember the two-part handshake:
 
-- MrTrust side: user installs the public trust certificates once.
+- MrTrust side: the user installs public trust certificates once.
-- Target project side: release artifacts are signed with the MrSphay code-signing certificate.
+- Target project side: the app is signed with the MrSphay code-signing certificate.
 
-If the target project is not signed, MrTrust cannot make it trusted.
+No signature, no trust. No trust, no victory parade.
 
 ## Current Build
 
-The Gitea workflow builds `MrTrust.exe` on `ubuntu-latest` with .NET Windows cross-targeting, packages `MrTrust-0.1.3.zip`, uploads it as a workflow artifact, and attaches the ZIP to the Gitea release on `main` pushes.
+The Gitea workflow builds `MrTrust.exe` on `ubuntu-latest` with .NET Windows cross-targeting.
 
-Manual `workflow_dispatch` runs build artifacts but do not attach release assets, to avoid duplicate release uploads.
+On pushes to `main`, it:
 
-## Security Notes
+1. builds the standalone Windows executable
+2. packages `MrTrust-0.1.3.zip`
+3. uploads the workflow artifact
+4. attaches the ZIP to the Gitea release
 
-MrTrust is intentionally transparent:
+Manual `workflow_dispatch` runs build artifacts but do not attach release assets. This prevents duplicate release uploads, which are bad for morale and paperwork.
 
-- The GUI shows the trust state.
+## Final Safety Reminder
-- Installing trust requires user confirmation.
+
-- Removing trust is available in the same tool.
+MrTrust is intentionally visible and reversible:
-- The public certificates are embedded in the executable.
+
-- Private signing material is never needed on user machines.
+- the GUI shows the trust state
+- installation requires confirmation
+- removal is available in the same tool
+- public certificates are embedded in the executable
+- private signing material is never needed on user machines
 
 For broad public distribution without SmartScreen reputation delays, a recognized commercial code-signing certificate is still the cleanest option.
+
+Thank you for choosing MrTrust. Stay signed, stay verified, and keep your release pipeline tidy.