# MrTrust Security Model

MrTrust is a trust bootstrapper, not a security bypass.

## Allowed Behavior

- Import a public MrSphay certificate into Windows certificate stores after explicit user approval.
- Sign MrSphay build artifacts with a private code-signing certificate kept outside git.
- Provide an uninstall script that removes the same certificate again.

## Disallowed Behavior

- Disabling Microsoft Defender.
- Disabling SmartScreen.
- Silently modifying certificate stores.
- Installing private keys on user machines.
- Hiding certificate installation inside unrelated app actions.
- Shipping `.pfx` files or signing passwords in a repository or release.

## Recommended Stores

For normal users:

```text
Cert:\CurrentUser\Root
Cert:\CurrentUser\TrustedPublisher
```

For managed PCs or all-user installs:

```text
Cert:\LocalMachine\Root
Cert:\LocalMachine\TrustedPublisher
```

The LocalMachine stores require administrator approval.

## Residual Windows Warnings

Even after MrTrust is installed, Windows can still block suspicious software. SmartScreen reputation, Defender detections, enterprise security policy, and downloaded-file mark-of-the-web behavior are separate from Authenticode trust.