6.0 KiB
MrTrust
Brought To You By The Fine People Of MrSphay
Good morning, citizen.
Has Windows ever looked at your freshly downloaded MrSphay program and said:
Unknown publisher? Sounds suspicious, pal.
Then step right up to MrTrust, the cheerful little trust-onboarding utility that helps your PC recognize signed MrSphay software without poking holes in Windows security.
One click. One confirmation. A brighter tomorrow for properly signed applications.
MrTrust installs public certificates only after you say so. It does not disable Microsoft Defender, SmartScreen, UAC, firewall rules, company policies, common sense, or the big red security lever nobody should touch.
Download Your Complimentary Trust Appliance
Latest release page:
https://git.wilkensxl.de/MrSphay/MrTrust/releases
Download the newest:
MrTrust-<version>.zip
Extract it, then run:
MrTrust.exe
That is the normal user version. It is standalone and carries the public MrSphay certificates it needs.
Operating Your Trust-O-Matic 3000
Inside the friendly GUI:
Install trusttells Windows to trust MrSphay public signing certificates.Remove trustpolitely takes that trust back out again.Refreshchecks whether your PC is currently feeling cooperative.
Default installation scope:
Root certificate -> Cert:\CurrentUser\Root
Code-signing certificate -> Cert:\CurrentUser\TrustedPublisher
That means the trust applies only to the current Windows user.
For all users on the PC, run MrTrust.exe as Administrator and choose the all-users option. Please operate administrator privileges responsibly. The future depends on it.
How The Magic Works
There is no magic. That is how you know it is working.
The approved flow:
- A MrSphay app is signed during its release build.
- You run
MrTrust.exe. - You review the certificate details.
- You confirm the trust installation.
- Windows can validate signed MrSphay apps on that PC.
If the app is not signed, MrTrust cannot help it. Even the finest paperwork cannot identify a person who never showed up.
Safety Notice From The Department Of Not Breaking Windows
MrTrust does not:
- make unsigned programs trusted
- bypass Defender
- bypass SmartScreen
- remove UAC prompts
- silently install certificates
- install private signing keys on user machines
- make sketchy software less sketchy
Windows may still scan, block, warn, quarantine, or ask questions. MrTrust only handles normal certificate trust.
Public Certificate Values
These values are public and safe to use in documentation, agent prompts, and integration metadata:
Publisher:
MrSphay
Root certificate thumbprint:
39F7458E6E2C1126E93E6A1F228196006B174DF2
Code-signing certificate thumbprint:
A024A89200469F099EC4A172B4F96F6428AFD41B
They are also stored here:
assets/certificates/thumbprints.txt
mrtrust.integration.json
For The Workshop Crew
Local maintainer commands:
.\MrTrust.ps1 gui
.\MrTrust.ps1 install
.\MrTrust.ps1 uninstall
Create or refresh local certificates:
.\scripts\New-MrTrustCertificate.ps1
Build a release ZIP locally:
.\scripts\New-MrTrustRelease.ps1 -Version 0.1.4
Sign an artifact locally on Windows:
.\MrTrust.ps1 sign `
-Path "C:\Path\To\App.exe" `
-CertificateThumbprint A024A89200469F099EC4A172B4F96F6428AFD41B
Private signing material belongs only in:
private/
Bitwarden
Gitea repository secrets
Never commit .pfx files, private keys, passwords, or Base64-encoded signing material. That is not trust. That is handing out the vault keys at the snack counter.
Gitea Secrets For Other Projects
For another project to sign Windows release artifacts on an Ubuntu Gitea runner, add these secrets to that target repository:
MRTRUST_CODESIGN_PFX_BASE64
MRTRUST_CODESIGN_PFX_PASSWORD
Optional timestamp override:
MRTRUST_TIMESTAMP_URL
The first two values are private signing credentials. Keep them in Bitwarden and Gitea Secrets only.
Ubuntu helper script:
scripts/Sign-MrTrustProjectLinux.sh
It signs supported Windows artifacts with osslsigncode:
.exe
.msi
.dll
.cat
PowerShell scripts should be signed on Windows, not Ubuntu.
Installing MrTrust Into Another Project
Give your coding agent this repository:
https://git.wilkensxl.de/MrSphay/MrTrust
Tell it to read:
mrtrust.integration.json
docs/agent-target-integration.md
docs/integration-prompt.md
The target project should end up with:
- signed Windows release artifacts
- a visible optional MrTrust setup path
- a link to or bundled copy of
MrTrust.exe - documentation for installing and removing trust
- no committed private signing material
Remember the two-part handshake:
- MrTrust side: the user installs public trust certificates once.
- Target project side: the app is signed with the MrSphay code-signing certificate.
No signature, no trust. No trust, no victory parade.
Current Build
The Gitea workflow builds MrTrust.exe on ubuntu-latest with .NET Windows cross-targeting.
On pushes to main, it:
- builds the standalone Windows executable
- packages
MrTrust-0.1.4.zip - uploads the workflow artifact
- attaches the ZIP to the Gitea release
Manual workflow_dispatch runs build artifacts but do not attach release assets. This prevents duplicate release uploads, which are bad for morale and paperwork.
Final Safety Reminder
MrTrust is intentionally visible and reversible:
- the GUI shows the trust state
- installation requires confirmation
- removal is available in the same tool
- public certificates are embedded in the executable
- private signing material is never needed on user machines
For broad public distribution without SmartScreen reputation delays, a recognized commercial code-signing certificate is still the cleanest option.
Thank you for choosing MrTrust. Stay signed, stay verified, and keep your release pipeline tidy.