MrTrust

Brought To You By The Fine People Of MrSphay

Good morning, citizen.

Has Windows ever looked at your freshly downloaded MrSphay program and said:

Unknown publisher? Sounds suspicious, pal.

Then step right up to MrTrust, the cheerful little trust-onboarding utility that helps your PC recognize signed MrSphay software without poking holes in Windows security.

One click. One confirmation. A brighter tomorrow for properly signed applications.

MrTrust installs public certificates only after you say so. It does not disable Microsoft Defender, SmartScreen, UAC, firewall rules, company policies, common sense, or the big red security lever nobody should touch.

Download Your Complimentary Trust Appliance

Latest release page:

https://git.wilkensxl.de/MrSphay/MrTrust/releases

Download the newest:

MrTrust-<version>.zip

Extract it, then run:

MrTrust.exe

That is the normal user version. It is standalone and carries the public MrSphay certificates it needs.

Operating Your Trust-O-Matic 3000

Inside the friendly GUI:

• Install trust tells Windows to trust MrSphay public signing certificates.
• Remove trust politely takes that trust back out again.
• Refresh checks whether your PC is currently feeling cooperative.

Default installation scope:

Root certificate -> Cert:\CurrentUser\Root
Code-signing certificate -> Cert:\CurrentUser\TrustedPublisher

That means the trust applies only to the current Windows user.

For all users on the PC, run MrTrust.exe as Administrator and choose the all-users option. Please operate administrator privileges responsibly. The future depends on it.

How The Magic Works

There is no magic. That is how you know it is working.

The approved flow:

1. A MrSphay app is signed during its release build.
2. You run MrTrust.exe.
3. You review the certificate details.
4. You confirm the trust installation.
5. Windows can validate signed MrSphay apps on that PC.

If the app is not signed, MrTrust cannot help it. Even the finest paperwork cannot identify a person who never showed up.

Safety Notice From The Department Of Not Breaking Windows

MrTrust does not:

• make unsigned programs trusted
• bypass Defender
• bypass SmartScreen
• remove UAC prompts
• silently install certificates
• install private signing keys on user machines
• make sketchy software less sketchy

Windows may still scan, block, warn, quarantine, or ask questions. MrTrust only handles normal certificate trust.

Public Certificate Values

These values are public and safe to use in documentation, agent prompts, and integration metadata:

Publisher:
MrSphay

Root certificate thumbprint:
39F7458E6E2C1126E93E6A1F228196006B174DF2

Code-signing certificate thumbprint:
A024A89200469F099EC4A172B4F96F6428AFD41B

They are also stored here:

assets/certificates/thumbprints.txt
mrtrust.integration.json

For The Workshop Crew

Local maintainer commands:

.\MrTrust.ps1 gui
.\MrTrust.ps1 install
.\MrTrust.ps1 uninstall

Create or refresh local certificates:

.\scripts\New-MrTrustCertificate.ps1

Build a release ZIP locally:

.\scripts\New-MrTrustRelease.ps1 -Version 0.1.4

Sign an artifact locally on Windows:

.\MrTrust.ps1 sign `
  -Path "C:\Path\To\App.exe" `
  -CertificateThumbprint A024A89200469F099EC4A172B4F96F6428AFD41B

Private signing material belongs only in:

private/
Bitwarden
Gitea repository secrets

Never commit .pfx files, private keys, passwords, or Base64-encoded signing material. That is not trust. That is handing out the vault keys at the snack counter.

Gitea Secrets For Other Projects

For another project to sign Windows release artifacts on an Ubuntu Gitea runner, add these secrets to that target repository:

MRTRUST_CODESIGN_PFX_BASE64
MRTRUST_CODESIGN_PFX_PASSWORD

Optional timestamp override:

MRTRUST_TIMESTAMP_URL

The first two values are private signing credentials. Keep them in Bitwarden and Gitea Secrets only.

Ubuntu helper script:

scripts/Sign-MrTrustProjectLinux.sh

It signs supported Windows artifacts with osslsigncode:

.exe
.msi
.dll
.cat

PowerShell scripts should be signed on Windows, not Ubuntu.

Installing MrTrust Into Another Project

Give your coding agent this repository:

https://git.wilkensxl.de/MrSphay/MrTrust

Tell it to read:

mrtrust.integration.json
docs/agent-target-integration.md
docs/integration-prompt.md

The target project should end up with:

• signed Windows release artifacts
• a visible optional MrTrust setup path
• a link to or bundled copy of MrTrust.exe
• documentation for installing and removing trust
• no committed private signing material

Remember the two-part handshake:

• MrTrust side: the user installs public trust certificates once.
• Target project side: the app is signed with the MrSphay code-signing certificate.

No signature, no trust. No trust, no victory parade.

Current Build

The Gitea workflow builds MrTrust.exe on ubuntu-latest with .NET Windows cross-targeting.

On pushes to main, it:

1. builds the standalone Windows executable
2. packages MrTrust-0.1.4.zip
3. uploads the workflow artifact
4. attaches the ZIP to the Gitea release

Manual workflow_dispatch runs build artifacts but do not attach release assets. This prevents duplicate release uploads, which are bad for morale and paperwork.

Final Safety Reminder

MrTrust is intentionally visible and reversible:

• the GUI shows the trust state
• installation requires confirmation
• removal is available in the same tool
• public certificates are embedded in the executable
• private signing material is never needed on user machines

For broad public distribution without SmartScreen reputation delays, a recognized commercial code-signing certificate is still the cleanest option.

Thank you for choosing MrTrust. Stay signed, stay verified, and keep your release pipeline tidy.