Public certificate (.cer) used to Authenticode-sign release binaries
across all yotsuda OSS projects:
- PowerShell.MCP
- ripple
- (others — see project READMEs for which binaries are signed)
The certificate is self-signed (not issued by a public CA). The private key is held only by the project maintainer; this repository contains the public key only.
| Field | Value |
|---|---|
| Subject | CN=yotsuda, O=Yoshifumi Tsuda, C=JP |
| Issuer | self (same as Subject) |
| Key | RSA 4096, SHA-256 |
| Validity | 2026-04-18 to 2036-04-18 |
| Thumbprint (SHA-1) | 74E5208228DFB12A067747D536BF497B6E98C73C |
| Thumbprint (SHA-256) | ABCE0AFEE35BD19EE1DF8F16E64436439516DDC3FD40229EA7786A8B23BC8013 |
The thumbprints are also published in every signed release's notes — verify them before trusting the certificate.
Choose the scenario that matches your environment.
Adds the certificate to your machine's Trusted Publisher store. After this, signed binaries from yotsuda projects no longer trigger "Unknown publisher" warnings.
# Run as Administrator
Import-Certificate `
-FilePath yotsuda.cer `
-CertStoreLocation Cert:\LocalMachine\TrustedPublisherPush the certificate via Group Policy. After gpupdate, every domain-joined
machine in the targeted OU automatically trusts the publisher.
-
Open Group Policy Management Console (
gpmc.msc) and edit the GPO that targets the OU you want. -
Navigate to:
Computer Configuration → Policies → Windows Settings → Security Settings → Public Key Policies → Trusted Publishers -
Right-click → Import → select
yotsuda.cer. -
Link the GPO to the target OU. After
gpupdate /force(or the next refresh), every machine has the certificate in itsLocalMachine\TrustedPublisherstore.
This handles AppLocker publisher rules, SmartScreen "unknown publisher" warnings, and signed PowerShell script execution. WDAC / Device Guard is a separate layer — see the next section if your policy enforces WDAC.
WDAC ignores per-machine trust stores and only honors signers listed in the policy XML. Adding the certificate to the policy means future updates of yotsuda OSS binaries pass WDAC without per-version hash exceptions.
# Add a User-mode signer rule to your existing WDAC policy XML, derived
# directly from the .cer
Add-SignerRule `
-FilePath YourExistingPolicy.xml `
-CertificatePath yotsuda.cer `
-User
# Convert the updated policy XML to the binary form WDAC enforces
ConvertFrom-CIPolicy `
-XmlFilePath YourExistingPolicy.xml `
-BinaryFilePath SiPolicy.p7b
# Then deploy SiPolicy.p7b via your usual mechanism (GPO / Intune / etc.)Note: if your WDAC policy is configured to reject all third-party publishers (only Microsoft signatures + explicit hashes are allowed), this won't help — and unfortunately a paid CA cert wouldn't help either in that case unless the CA's root is in your policy's trust list.
Get-AuthenticodeSignature path\to\binary.exe |
Format-List Status, SignerCertificate, TimeStamperCertificateThe signer thumbprint should match the value listed under Certificate details. If it doesn't, do not trust the binary and please open an issue.
- A CA-issued cert costs several hundred USD/year — unsustainable for a one-person OSS effort
- WDAC environments that accept publisher rules treat self-signed and CA-issued certs the same way once trusted: a single one-time setup replaces per-version hash whitelists
- For SmartScreen reputation and "Verified Publisher" UAC, a CA cert (especially EV) is more polished, but isn't required to make the binaries usable in enterprise deployments
If a sponsor wants to fund a CA-issued (or EV) cert for these projects, please open an issue.
Public-domain. The certificate file is provided "as is" with no warranty.