An additional bit of context for why this is so annoying - Microsoft recently switched code signing to physical hardware only, meaning you must buy a server with a HSM, a USB security key, or use a more expensive CA. There's no longer any free CAs for this.
You can use a cloud HSM and some CAs offer cloud signing. We described some info about setting that up with our tool in this blog post (it talks about Electron but the instructions work for any kind of app):
If you have physical access to your own server you could just plug in the USB devices CAs sell you. The cloud HSMs/code signing services are more for people who don't have hardware access and have to rely on someone else's HSM accessed over the network.
