This means that, as an Free or Open Source Developer on Windows, you now have means to sign your applications and turn the following:
Obviously, this is great news for anyone dabbling into FOSS development, as it means we can now provide end users with Windows applications that they will see as trustworthy, without having to subscribe to the whole "your trustworthiness is only as big as your checkbook" scam.
To obtain your free code signing certificate then, you should follow the instructions provided here or go directly to the registration form.
Once you have submitted the form, you should receive an e-mail (in about a day) that takes you through the key generation process. This is one of the 2 steps you will need to complete to obtain the signing credentials, the other being the provision of some proof of your identity and FOSS involvement to Certum.
Also, be mindful that this first step results in the credential's private key being generated in your browser's store (rather than on Certum's servers, which is definitely a good thing), so you must ensure that, when you retrieve the final Authenticode credentials, you will do so using the same browser and the same machine as the one you used when completing this step. Else, you will not be able to export your credentials, which includes the private key, for SignTool.
The other step you will also need to complete is the provision of a proof of identity (copy of your passport, etc.) as a FOSS developer, since an Authenticode certificate is really an identity verification process.
While the Certum documentaion states that your proof of identity should be counter-signed by an official third party, I found it wasn't necessary. However, you should make sure that your proof of identity can be linked to your participation in public FOSS projects, so that Certum can confirm the validity of your request.
In all, it took about 2 days to obtain my Authenticode certificate, and I can't thank Certum enough for going against their obvious commercial interests in order to help the FOSS community. If you or your employer ever needs to purchase a commercial certificate, I hope you'll consider using Certum, as a reward for their efforts.
Now, one last hurdle you may face, after you've completed the whole process, is how to obtain of the full credential, i.e. private key + public key certificate, in the form of a p12 or pfx file, so that you can use it with SignTool.
As you will find, the default web interface ("Save binary" / "Save plain") only provides a download link for the public key certificate, which is useless for signing applications as access to the private key is also required. Thus you need to be able to export the private key along with the certificate, in a package that SignTool can consume. To do that, you first need to click on the "Install" button, to get the whole credential imported onto your browser security store (if prompted, make sure you mark the private key as exportable). Then, once in your store, your browser should provide the option to export it along with the private key, either as a p12 or pfx (and prompt you for a password to secure private key access). But please remember that, because of the private key generation mechanism, you must use the same browser as the one you conducted step 1 with, else you will not be able to import the final Authenticode credentials.
Addon: If you ever find that, even though you properly signed an executable requiring elevated access, the icon of the application does not display during the UAC prompt, please remember that the SYSTEM account needs to be have read access to your executable, to be able to display its icon => check out the Security tab in your files properties. If you don't see SYSTEM listed in "Group or user names", you need to add it manually.