3.9 KiB
MrTrust
MrTrust is a small Windows trust-onboarding kit for MrSphay software.
It is designed for this workflow:
- MrSphay creates a private code-signing certificate once.
- MrSphay publishes only the public trust certificate with MrTrust.
- A user runs MrTrust once and explicitly approves installing that public certificate.
- MrSphay projects signed with the matching certificate chain are shown as trusted on that PC.
MrTrust does not bypass Microsoft Defender or SmartScreen. Windows can still scan, quarantine, or warn about suspicious files. This project only manages normal Windows certificate trust with visible user consent.
What It Contains
MrTrust.ps1 guiopens a simple Windows interface for installing or removing trust.scripts/New-MrTrustCertificate.ps1creates a local root certificate and a code-signing certificate for the publisher.scripts/Install-MrTrust.ps1installs the public trust certificate for the current user or the local machine.scripts/Uninstall-MrTrust.ps1removes the MrTrust certificate again.scripts/Sign-MrTrustProject.ps1signs.exe,.msi,.ps1, and other Authenticode-compatible files.scripts/New-MrTrustRelease.ps1builds a distributable ZIP package.docs/integration-prompt.mdis a prompt you can paste into other Windows projects.
Quick Start For MrSphay
Create the certificates:
.\scripts\New-MrTrustCertificate.ps1
This writes:
- public certificates to
assets\certificates\ - private signing material to
private\
The private\ directory is ignored by git. Do not publish .pfx files or passwords.
Install the public trust certificate on your own PC:
.\MrTrust.ps1 install
Open the GUI:
.\MrTrust.ps1 gui
Sign another project build:
.\MrTrust.ps1 sign `
-Path "C:\Path\To\App.exe" `
-PfxPath ".\private\MrSphay-CodeSigning.pfx"
Remove the trust certificate:
.\MrTrust.ps1 uninstall
Build a user-facing ZIP release:
.\scripts\New-MrTrustRelease.ps1 -Version 0.1.0
The Gitea workflow .gitea/workflows/build.yml builds the Windows launcher EXE on an ubuntu-latest runner with .NET Windows cross-targeting, then uploads the ZIP as an artifact.
User Installation
For normal users, distribute MrTrust with the public certificate file:
assets\certificates\MrSphay-LocalTrust-Root.cer
assets\certificates\MrSphay-CodeSigning.cer
The user runs:
.\MrTrust.ps1 gui
By default, MrTrust installs trust only for the current Windows user:
Root certificate -> Cert:\CurrentUser\Root
Code-signing certificate -> Cert:\CurrentUser\TrustedPublisher
For all users on the machine, run PowerShell as Administrator:
.\MrTrust.ps1 install -Scope LocalMachine
Using This Repo With Other Agents
Yes. Give another agent this repository URL and the target Windows project, then paste docs/integration-prompt.md.
Both sides have to be wired:
- MrTrust side: users install the public trust certificates once.
- Target project side: release artifacts are signed with the MrSphay code-signing certificate.
- Installer side, optional: the target app can offer "Open MrTrust" or bundle the MrTrust ZIP, but it must not silently change trust.
If the target project is not signed, MrTrust cannot make it trusted.
Important Limits
- This only helps for programs signed with the matching MrSphay certificate chain.
- It does not make unsigned programs trusted.
- It does not disable Defender, SmartScreen, UAC, or enterprise policies.
- Public distribution without warnings is still best handled with a recognized commercial code-signing certificate.
Recommended Project Integration
Use docs/integration-prompt.md in another Windows project. The prompt tells Codex or another assistant to add a visible trust check, a link or bundled copy of MrTrust, and a signing step without hiding security changes from the user.