MrSphay/MrTrust
1
0
Fork 0
generated from MrSphay/codex-agent-repository-kit
Code Issues Pull Requests Actions Packages Projects Releases 5 Wiki Activity
Files
01148f47037dc2d6eac1f9d5ae66b72bd8e96ce7
MrTrust/README.md
MrSphay 01148f4703
All checks were successful
Build MrTrust / build (push) Successful in 2m31s
Details
Clarify MrTrust target project integration for agents
2026-05-16 01:46:36 +02:00

4.4 KiB
Raw Blame History

MrTrust

MrTrust is a small Windows trust-onboarding kit for MrSphay software.

It is designed for this workflow:

  1. MrSphay creates a private code-signing certificate once.
  2. MrSphay publishes only the public trust certificate with MrTrust.
  3. A user runs MrTrust once and explicitly approves installing that public certificate.
  4. MrSphay projects signed with the matching certificate chain are shown as trusted on that PC.

MrTrust does not bypass Microsoft Defender or SmartScreen. Windows can still scan, quarantine, or warn about suspicious files. This project only manages normal Windows certificate trust with visible user consent.

What It Contains

  • MrTrust.exe opens a standalone Windows interface for installing or removing trust.
  • MrTrust.ps1 and scripts/ are source and maintainer tools for building, signing, and local development.
  • scripts/New-MrTrustCertificate.ps1 creates a local root certificate and a code-signing certificate for the publisher.
  • scripts/Install-MrTrust.ps1 installs the public trust certificate for the current user or the local machine.
  • scripts/Uninstall-MrTrust.ps1 removes the MrTrust certificate again.
  • scripts/Sign-MrTrustProject.ps1 signs .exe, .msi, .ps1, and other Authenticode-compatible files.
  • scripts/New-MrTrustRelease.ps1 builds a distributable ZIP package.
  • docs/integration-prompt.md is a prompt you can paste into other Windows projects.
  • MrTrust.exe is standalone for normal users. It embeds the public certificates and runtime scripts.

Quick Start For MrSphay

Create the certificates:

.\scripts\New-MrTrustCertificate.ps1

This writes:

  • public certificates to assets\certificates\
  • private signing material to private\

The private\ directory is ignored by git. Do not publish .pfx files or passwords.

Install the public trust certificate on your own PC:

.\MrTrust.ps1 install

Open the GUI:

.\MrTrust.ps1 gui

Sign another project build:

.\MrTrust.ps1 sign `
  -Path "C:\Path\To\App.exe" `
  -PfxPath ".\private\MrSphay-CodeSigning.pfx"

Remove the trust certificate:

.\MrTrust.ps1 uninstall

Build a user-facing ZIP release:

.\scripts\New-MrTrustRelease.ps1 -Version 0.1.1

The Gitea workflow .gitea/workflows/build.yml builds the Windows launcher EXE on an ubuntu-latest runner with .NET Windows cross-targeting, then uploads the ZIP as an artifact.

User Installation

For normal users, distribute MrTrust.exe. The executable embeds the public certificate files and opens the GUI by default.

By default, MrTrust installs trust only for the current Windows user:

Root certificate -> Cert:\CurrentUser\Root
Code-signing certificate -> Cert:\CurrentUser\TrustedPublisher

For all users on the machine, run PowerShell as Administrator:

.\MrTrust.exe

Then choose the all-users option in the GUI.

Using This Repo With Other Agents

Yes. Give another agent this repository URL, the target Windows project, and docs/integration-prompt.md.

The agent's job is to modify the target project, not this repository:

  • expose a visible "Open MrTrust" or trust setup path for users
  • link to or bundle the standalone MrTrust.exe
  • sign Windows release artifacts with the MrSphay code-signing certificate
  • keep trust installation explicit, reversible, and user-confirmed
  • keep private signing material out of the target repository and release artifacts

Both sides have to be wired:

  • MrTrust side: users install the public trust certificates once.
  • Target project side: release artifacts are signed with the MrSphay code-signing certificate.
  • Installer side, optional: the target app can offer "Open MrTrust" or bundle MrTrust.exe, but it must not silently change trust.

If the target project is not signed, MrTrust cannot make it trusted.

Important Limits

  • This only helps for programs signed with the matching MrSphay certificate chain.
  • It does not make unsigned programs trusted.
  • It does not disable Defender, SmartScreen, UAC, or enterprise policies.
  • Public distribution without warnings is still best handled with a recognized commercial code-signing certificate.

Recommended Project Integration

Use docs/integration-prompt.md in another Windows project. The prompt tells Codex or another assistant to add a visible trust check, a link or bundled copy of the standalone MrTrust.exe, and a signing step without hiding security changes from the user.

Reference in New Issue View Git Blame Copy Permalink