According to the Android developer site, you can use self-signed certificates to sign your applications. No certificate authority is needed. To quote the site:
The certificate does not need to be signed by a certificate authority: it is perfectly allowable, and typical, for Android applications to use self-signed certificates.
As far as the process for signing your application, take a look at the link I provided. That page has a ton of information regarding signing your application. Here's an excerpt:
When you build in release mode you use your own private key to sign your application. If you don't have a private key, you can use the Keytool utility to create one for you. When you compile your application in release mode, the build tools use your private key along with the Jarsigner utility to sign your application's .apk file. Because the certificate and private key you use are your own, you will have to provide the password for the keystore and key alias.
If you were developing a Windows application I would say that using a certificate authority is a must, since the end user receives a terrible warning without it. However, Android doesn't warn end users in that way.
Here's a Google Groups thread, which mentions the same thing.
If you still want to pursue purchasing a code-signing certificate from a trusted source, the process is fairly straightforward.
- Find a vendor that can supply you with an Android compatible certificate.
- Purchase the certificate.
- Supply the vendor with the requested documentation to prove you are who you say you are.
- Read the Android documentation to learn how to properly sign your application with your purchased certificate.