Merge pull request #12781 from electron/more-code-signing

More code signing docs

docs/tutorial/code-signing.md

@@ -1,8 +1,15 @@
 # Code Signing
 
 Code signing is a security technology that you use to certify that an app was 
-created by you. Once an app is signed, the system can detect any change to the 
-app, whether the change is introduced accidentally or by malicious code.
+created by you.
+
+On macOS the system can detect any change to the  app, whether the change is
+introduced accidentally or by malicious code.
+
+On Windows the system assigns a trust level to your code signing certificate which
+if you don't have, or if your trust level is low will cause security dialogs to
+appear when users start using your application.  Trust level builds over time
+so it's better to start code signing as early as possible.
 
 While it is possible to distribute unsigned apps, it is not recommended. 
 For example, here's what macOS users see when attempting to start an unsigned app:
@@ -28,18 +35,42 @@ There are a number of tools for signing your packaged app:
 - [`electron-osx-sign`] is a standalone tool for signing macOS packages.
 - [`electron-packager`] bundles `electron-osx-sign`. If you're using `electron-packager`,
 pass the `--osx-sign=true` flag to sign your build.
+  - [`electron-forge`] uses `electron-packager` internally, you can set the `osxSign` option
+    in your forge config.
 - [`electron-builder`] has built-in code-signing capabilities. See [electron.build/code-signing](https://www.electron.build/code-signing)
 
 For more info, see the [Mac App Store Submission Guide].
 
 # Signing Windows builds
 
+Before signing Windows builds, you must do the following:
+
+1. Get a Windows Authenticode code signing certificate
+2. Install Visual Studio 2015/2017 (to get the signing utility)
+
+You can get a code signing certificate from a lot of resellers, popular ones include:
+
+* [digicert](https://www.digicert.com/code-signing/microsoft-authenticode.htm)
+* [Comodo](https://www.comodo.com/landing/ssl-certificate/authenticode-signature/)
+* [GoDaddy](https://au.godaddy.com/web-security/code-signing-certificate)
+* Amongst others, please shop around to find one that suits your needs, Google is your friend :)
+
+There are a number of tools for signing your packaged app:
+
+- [`electron-winstaller`] will generate an installer for windows and sign it for you
+- [`electron-forge`] can sign installers it generates through the Squirrel.Windows or MSI targets.
+- [`electron-builder`] can sign some of its windows targets
+
+## Windows Store
+
 See the [Windows Store Guide].
 
 [Apple Developer Program]: https://developer.apple.com/programs/
+[`electron-builder`]: https://github.com/electron/electron-builder
+[`electron-forge`]: https://github.com/electron-userland/electron-forge
 [`electron-osx-sign`]: https://github.com/electron-userland/electron-osx-sign
 [`electron-packager`]: https://github.com/electron-userland/electron-packager
-[`electron-builder`]: https://github.com/electron/electron-builder
+[`electron-winstaller`]: https://github.com/electron/windows-installer
 [Xcode]: https://developer.apple.com/xcode
 [signing certificates]: https://github.com/electron-userland/electron-osx-sign/wiki/1.-Getting-Started#certificates
 [Mac App Store Submission Guide]: mac-app-store-submission-guide.md