2016 update: StartCom has been acquired by WoSign under questionable circumstances. I wouldn't trust StartCom/WoSign. Consider the below text as a historical note on how good StartCom was up to early 2015.
I've got a code signing certificate from StartCom (StartSSL). I'm very satisfied with their service: Their customer service is very fast, and their prices are very reasonable.
Getting the code-signing certificate
Getting a code signing certificate requires Class 2 Identity Validation. StartCom guides you through the whole process (with excellent response rates, usually within ten minutes in my experience).
If you want to get the details right at once, read this blog post. I was validated within an hour (for a fee of 59.90 $, via Paypal).
After being validated, generate a new private key, and a Certificate Signing Request (CSR). Note that all fields except for the public key are ignored. All information in the certificate is inferred from the information you provide during identity validation, not from your CSR.
# Create key and CSR (key must be at least 2048 bit, per Policy Statement)
openssl req -nodes -newkey rsa:2048 -keyout codesigning.key -out codesigning.csr
# Add pass phrase to key (optional, but highly recommended)
openssl rsa -in codesigning.key -des3 -out codesigning2.key && \
mv codesigning2.key codesigning.key
Submit this via the web interface and you'll quickly get a new certificate that's valid for two years (I got mine within an hour).
Issue: Lifetime Signing OID
StartCom's class 2 certificates have the Lifetime Signing OID set. Because of this bit, the signature of signed code will become invalid after the certificate expires, even when it's timestamped.
When I asked Eddy Nigg (COO/CTO of StartCom) for the reason of this OID, he replied:
It requires from us to keep the CRLs operating for up to 20 years after the certificates already expired. This is something we can do for EV level certs (much lower volume, different payment terms) but would increase the price for Class 2 just for this benefit (where code signing is only part of the options in this level).
Timestamping is thus only available after Extended Validation (EV), which is only available to legally established organizations and costs 199.90 $. So, individual developers cannot use timestamping with a code signing certificate from StartCom.
For a long time, I considered this limitation as a big issue. Recently, I changed my mind: It only happens once every two years, security-minded users might be more inclined to get the latest version of my software, and old versions of the software will still work (for those who want to use it; though without a verified signature).
Note: Always timestamp your code, even when the Lifetime signing flag is set! Timestamped signatures will remain valid until the expiry date of the certificate, even when the certificate has been revoked (obviously, only if the signature was created before the certificate was revoked).
Practical use of certificate
At StartCom, you only pay for validation. The identity validation is valid for 350 days, and during this period, you can request code signing certificates for free. You can only have one valid code signing certificate, and it can be used to sign any code (MSI, DLL, XPI, ...) but not driver code (this requires EV).
To change an attribute on the certificate, the previous certificate must be revoked an a new one requested. Revocation of a certificate costs 29.90 $. Though when I changed my email a day after getting a code signing certificate, they exceptionally revoked my certificate without fee (I was positively surprised)!
Expiration
When your certificate is about to expire (after almost two years), you get a notification (two weeks in advance).
If your verified identity is still valid (recall that validations expire after 350 days; then you have to confirm your identity again for 59.90$), you can request a new certificate without revoking the previous one. Do not forget to publish a new release of your software that's signed with this new code signing certificate, because the previous releases will soon show "(not verified)" or something similar.
OCSP
When I received my certificate, I signed my Firefox add-on. However, it still showed "(Author not verified)", even though my XPI file was correctly signed. It turned out that Firefox did not get the current certificate status when it queried the OCSP servers of StartCom for the revocation status of my new certificate. possibly relevant forum topic
After about a half day, my certificate was known to the OCSP servers, and my name showed up as expected. Lesson learnt: When you've got a new certificate, wait about a day before publishing your software with the new signature.