Whilst there is a detailed design on Signature Constraints,
the end-user documentation is limited to a single paragraph embedded quite far down on the following page:
Signature constraints. These enforce an association between a state and its associated contract JAR which must be signed by a specified identity, via the regular Java jarsigner tool. This is the most flexible type and the smoothest to deploy: no restarts or contract upgrade transactions are needed. When a CorDapp is build using corda-gradle-plugin the JAR is signed by Corda development key by default, an external keystore can be configured or signing can be disabled.
For example, the highlighted sentence above requires further clarification and elaboration with examples.
Overall, a more prominent and better explanation of this key new feature would be welcome.