MrTrust/README.md

# MrTrust

## Brought To You By The Fine People Of MrSphay

Good morning, citizen.

Has Windows ever looked at your freshly downloaded MrSphay program and said:

```text
Unknown publisher? Sounds suspicious, pal.
```

Then step right up to **MrTrust**, the cheerful little trust-onboarding utility that helps your PC recognize signed MrSphay software without poking holes in Windows security.

One click. One confirmation. A brighter tomorrow for properly signed applications.

MrTrust installs public certificates only after you say so. It does not disable Microsoft Defender, SmartScreen, UAC, firewall rules, company policies, common sense, or the big red security lever nobody should touch.

## Download Your Complimentary Trust Appliance

Latest release page:

```text
https://git.wilkensxl.de/MrSphay/MrTrust/releases
```

Download the newest:

```text
MrTrust-<version>.zip
```

Extract it, then run:

```text
MrTrust.exe
```

That is the normal user version. It is standalone and carries the public MrSphay certificates it needs.

## Operating Your Trust-O-Matic 3000

Inside the friendly GUI:

- `Install trust` tells Windows to trust MrSphay public signing certificates.
- `Remove trust` politely takes that trust back out again.
- `Refresh` checks whether your PC is currently feeling cooperative.

Default installation scope:

```text
Root certificate -> Cert:\CurrentUser\Root
Code-signing certificate -> Cert:\CurrentUser\TrustedPublisher
```

That means the trust applies only to the current Windows user.

For all users on the PC, run `MrTrust.exe` as Administrator and choose the all-users option. Please operate administrator privileges responsibly. The future depends on it.

## How The Magic Works

There is no magic. That is how you know it is working.

The approved flow:

1. A MrSphay app is signed during its release build.
2. You run `MrTrust.exe`.
3. You review the certificate details.
4. You confirm the trust installation.
5. Windows can validate signed MrSphay apps on that PC.

If the app is not signed, MrTrust cannot help it. Even the finest paperwork cannot identify a person who never showed up.

## Safety Notice From The Department Of Not Breaking Windows

MrTrust does not:

- make unsigned programs trusted
- bypass Defender
- bypass SmartScreen
- remove UAC prompts
- silently install certificates
- install private signing keys on user machines
- make sketchy software less sketchy

Windows may still scan, block, warn, quarantine, or ask questions. MrTrust only handles normal certificate trust.

## Public Certificate Values

These values are public and safe to use in documentation, agent prompts, and integration metadata:

```text
Publisher:
MrSphay

Root certificate thumbprint:
39F7458E6E2C1126E93E6A1F228196006B174DF2

Code-signing certificate thumbprint:
A024A89200469F099EC4A172B4F96F6428AFD41B
```

They are also stored here:

```text
assets/certificates/thumbprints.txt
mrtrust.integration.json
```

## For The Workshop Crew

Local maintainer commands:

```powershell
.\MrTrust.ps1 gui
.\MrTrust.ps1 install
.\MrTrust.ps1 uninstall
```

Create or refresh local certificates:

```powershell
.\scripts\New-MrTrustCertificate.ps1
```

Build a release ZIP locally:

```powershell
.\scripts\New-MrTrustRelease.ps1 -Version 0.1.4
```

Sign an artifact locally on Windows:

```powershell
.\MrTrust.ps1 sign `
  -Path "C:\Path\To\App.exe" `
  -CertificateThumbprint A024A89200469F099EC4A172B4F96F6428AFD41B
```

Private signing material belongs only in:

```text
private/
Bitwarden
Gitea repository secrets
```

Never commit `.pfx` files, private keys, passwords, or Base64-encoded signing material. That is not trust. That is handing out the vault keys at the snack counter.

## Gitea Secrets For Other Projects

For another project to sign Windows release artifacts on an Ubuntu Gitea runner, add these secrets to that target repository:

```text
MRTRUST_CODESIGN_PFX_BASE64
MRTRUST_CODESIGN_PFX_PASSWORD
```

Optional timestamp override:

```text
MRTRUST_TIMESTAMP_URL
```

The first two values are private signing credentials. Keep them in Bitwarden and Gitea Secrets only.

Ubuntu helper script:

```text
scripts/Sign-MrTrustProjectLinux.sh
```

It signs supported Windows artifacts with `osslsigncode`:

```text
.exe
.msi
.dll
.cat
```

PowerShell scripts should be signed on Windows, not Ubuntu.

## Installing MrTrust Into Another Project

Give your coding agent this repository:

```text
https://git.wilkensxl.de/MrSphay/MrTrust
```

Tell it to read:

```text
mrtrust.integration.json
docs/agent-target-integration.md
docs/integration-prompt.md
```

The target project should end up with:

- signed Windows release artifacts
- a visible optional MrTrust setup path
- a link to or bundled copy of `MrTrust.exe`
- documentation for installing and removing trust
- no committed private signing material

Remember the two-part handshake:

- MrTrust side: the user installs public trust certificates once.
- Target project side: the app is signed with the MrSphay code-signing certificate.

No signature, no trust. No trust, no victory parade.

## Current Build

The Gitea workflow builds `MrTrust.exe` on `ubuntu-latest` with .NET Windows cross-targeting.

On pushes to `main`, it:

1. builds the standalone Windows executable
2. packages `MrTrust-0.1.4.zip`
3. uploads the workflow artifact
4. attaches the ZIP to the Gitea release

Manual `workflow_dispatch` runs build artifacts but do not attach release assets. This prevents duplicate release uploads, which are bad for morale and paperwork.

## Final Safety Reminder

MrTrust is intentionally visible and reversible:

- the GUI shows the trust state
- installation requires confirmation
- removal is available in the same tool
- public certificates are embedded in the executable
- private signing material is never needed on user machines

For broad public distribution without SmartScreen reputation delays, a recognized commercial code-signing certificate is still the cleanest option.

Thank you for choosing MrTrust. Stay signed, stay verified, and keep your release pipeline tidy.