Ha, it's all very funny in a painful way. I am just going through this right now. I previously had done a code signing just to prevent Microsoft saying the app was from an unknown publisher and causing difficulties for users to install. I grumbled at the time but I did it anyway because it was not too expensive. Then I forgot about it.
Fast forward three years, and I was trying to update my app on the Microsoft App Store, but was rejected because the code signing is now invalid. It expired after three years. Okay, so I remember I did this before and dug around for my notes on the subject (ha ha, I left none). I came to learn that back in June, Microsoft changed the rules such that a physical hardware (USB) is required to do the job, and as you say, it is now absurdly expensive. And to me, at least, the process, rules, and requirements are incredibly vague and badly described. There also seem to be many shady organizations selling the service, and it is not clear who can be trusted or how it all works.
Still, if you want to put your app in the Microsoft App Store, there is no choice but to do the code signing, and I also got a couple of reports from new users that seem to indicate various antimalware products producing a false positive and quarantining the executable. So, onward into the breach.
Not knowing who to trust, I gave my money to Sectigo, which seems to be the biggest dog in this game.
https://www.sectigo.com/ssl-certificates-tls/code-signing
The cost was an astonishing $829 for three years. It hardly seems worth it considering 90% of my sales are iOS and Android, but I felt I had no choice in the matter as supporting all three platforms equally is an important part of my marketing for the app.
So, I filled out all the required info and forked over the money. The interactions with Sectigo are all web-based, and vague, and they kept rejecting me without clear explanation.
A few days ago I got an early morning call from a lady in India, nearly impossible to understand, telling me that she called because she had to verify my phone number. I said "OK, thanks." After a period of silence, she started telling me I had to sign up with some web site where I could list my company (which is just me, by the way). She said "I'm not telling you that you have to do it, but you have to do it". I blinked in confusion. "Why do I have to do this?" "Because I need to verify your phone number".
"But... but... you called my phone number and I answered and I am talking to you."
We went in circles on this to no avail. And as I started looking into the web site she had mentioned (which sounds like yet another way to take my money) and I again tried to explain that I'm just some guy working out of his house and not a Fortune 500 company, she mentioned that it would be easier if I signed up as an individual instead of a company. I asked why their web site didn't offer any such choice, and she could not answer, at least not in English that I could understand. She put me on hold, then came back, and said she had switched my application to an individual. Okay, great. But she still had to verify my phone number(!!) so after hanging up, I got an email with a link to click that would then call me (at the same f@#$% number) so I could enter a code to verify that I am me by some mystical prestidgitation.
Anyway, so now I am approved, and am awaiting the arrival by mail of my USB key. From there I will need to figure out again how to apply this signing to my B4J app, a bridge I will cross when the USB key arrives. I figured that part out three years ago, so I'm assuming I can muster the wits to figure it out again.
Ugh. It would be awesomely great if there was a trusted post on this forum with step by step instructions for B4J code signing, including why to do it, what type to buy, who are trusted vendors, and related procedures and "gotchas". I would do it based on my own experiences but I am just winging it and so I don't trust my experiences as authoritative or knowledgeable in any way and would not want to mislead others.
