# MrTrust ## Brought To You By The Fine People Of MrSphay Good morning, citizen. Has Windows ever looked at your freshly downloaded MrSphay program and said: ```text Unknown publisher? Sounds suspicious, pal. ``` Then step right up to **MrTrust**, the cheerful little trust-onboarding utility that helps your PC recognize signed MrSphay software without poking holes in Windows security. One click. One confirmation. A brighter tomorrow for properly signed applications. MrTrust installs public certificates only after you say so. It does not disable Microsoft Defender, SmartScreen, UAC, firewall rules, company policies, common sense, or the big red security lever nobody should touch. ## Download Your Complimentary Trust Appliance Latest release page: ```text https://git.wilkensxl.de/MrSphay/MrTrust/releases ``` Download the newest: ```text MrTrust-.zip ``` Extract it, then run: ```text MrTrust.exe ``` That is the normal user version. It is standalone and carries the public MrSphay certificates it needs. ## Operating Your Trust-O-Matic 3000 Inside the friendly GUI: - `Install trust` tells Windows to trust MrSphay public signing certificates. - `Remove trust` politely takes that trust back out again. - `Refresh` checks whether your PC is currently feeling cooperative. Default installation scope: ```text Root certificate -> Cert:\CurrentUser\Root Code-signing certificate -> Cert:\CurrentUser\TrustedPublisher ``` That means the trust applies only to the current Windows user. For all users on the PC, run `MrTrust.exe` as Administrator and choose the all-users option. Please operate administrator privileges responsibly. The future depends on it. ## How The Magic Works There is no magic. That is how you know it is working. The approved flow: 1. A MrSphay app is signed during its release build. 2. You run `MrTrust.exe`. 3. You review the certificate details. 4. You confirm the trust installation. 5. Windows can validate signed MrSphay apps on that PC. If the app is not signed, MrTrust cannot help it. Even the finest paperwork cannot identify a person who never showed up. ## Safety Notice From The Department Of Not Breaking Windows MrTrust does not: - make unsigned programs trusted - bypass Defender - bypass SmartScreen - remove UAC prompts - silently install certificates - install private signing keys on user machines - make sketchy software less sketchy Windows may still scan, block, warn, quarantine, or ask questions. MrTrust only handles normal certificate trust. ## Public Certificate Values These values are public and safe to use in documentation, agent prompts, and integration metadata: ```text Publisher: MrSphay Root certificate thumbprint: 39F7458E6E2C1126E93E6A1F228196006B174DF2 Code-signing certificate thumbprint: A024A89200469F099EC4A172B4F96F6428AFD41B ``` They are also stored here: ```text assets/certificates/thumbprints.txt mrtrust.integration.json ``` ## For The Workshop Crew Local maintainer commands: ```powershell .\MrTrust.ps1 gui .\MrTrust.ps1 install .\MrTrust.ps1 uninstall ``` Create or refresh local certificates: ```powershell .\scripts\New-MrTrustCertificate.ps1 ``` Build a release ZIP locally: ```powershell .\scripts\New-MrTrustRelease.ps1 -Version 0.1.4 ``` Sign an artifact locally on Windows: ```powershell .\MrTrust.ps1 sign ` -Path "C:\Path\To\App.exe" ` -CertificateThumbprint A024A89200469F099EC4A172B4F96F6428AFD41B ``` Private signing material belongs only in: ```text private/ Bitwarden Gitea repository secrets ``` Never commit `.pfx` files, private keys, passwords, or Base64-encoded signing material. That is not trust. That is handing out the vault keys at the snack counter. ## Gitea Secrets For Other Projects For another project to sign Windows release artifacts on an Ubuntu Gitea runner, add these secrets to that target repository: ```text MRTRUST_CODESIGN_PFX_BASE64 MRTRUST_CODESIGN_PFX_PASSWORD ``` Optional timestamp override: ```text MRTRUST_TIMESTAMP_URL ``` The first two values are private signing credentials. Keep them in Bitwarden and Gitea Secrets only. Ubuntu helper script: ```text scripts/Sign-MrTrustProjectLinux.sh ``` It signs supported Windows artifacts with `osslsigncode`: ```text .exe .msi .dll .cat ``` PowerShell scripts should be signed on Windows, not Ubuntu. ## Installing MrTrust Into Another Project Give your coding agent this repository: ```text https://git.wilkensxl.de/MrSphay/MrTrust ``` Tell it to read: ```text mrtrust.integration.json docs/agent-target-integration.md docs/integration-prompt.md ``` The target project should end up with: - signed Windows release artifacts - a visible optional MrTrust setup path - a link to or bundled copy of `MrTrust.exe` - documentation for installing and removing trust - no committed private signing material Remember the two-part handshake: - MrTrust side: the user installs public trust certificates once. - Target project side: the app is signed with the MrSphay code-signing certificate. No signature, no trust. No trust, no victory parade. ## Current Build The Gitea workflow builds `MrTrust.exe` on `ubuntu-latest` with .NET Windows cross-targeting. On pushes to `main`, it: 1. builds the standalone Windows executable 2. packages `MrTrust-0.1.4.zip` 3. uploads the workflow artifact 4. attaches the ZIP to the Gitea release Manual `workflow_dispatch` runs build artifacts but do not attach release assets. This prevents duplicate release uploads, which are bad for morale and paperwork. ## Final Safety Reminder MrTrust is intentionally visible and reversible: - the GUI shows the trust state - installation requires confirmation - removal is available in the same tool - public certificates are embedded in the executable - private signing material is never needed on user machines For broad public distribution without SmartScreen reputation delays, a recognized commercial code-signing certificate is still the cleanest option. Thank you for choosing MrTrust. Stay signed, stay verified, and keep your release pipeline tidy.