I'd like to avoid this scary messages when users install my application:
I understand I have to buy a certification or something like that. Can you tell me where should I buy it and what should I do with that after? I'd like to sign my exe application automatically. Furthermore, I use InnoSetup and I'd like to add the signature automatically when creating a new package (EXE file)
If you want to be a "Known Publisher" you need a certificate from an authority like Verisign, etc. It's not cheap (Verisign charges ~$400/yr).
https://www.symantec.com/verisign/code-signing/microsoft-authenticode/buy
See also :
http://msdn.microsoft.com/en-us/library/ms247066
https://stackoverflow.com/a/1191152/327083
Basically there are two things you can do - Strong Name signing and Authenticode signing.
Strong Name signing alone will not identify the publisher of the assembly but it does associate the assembly with a trusted key and can detect assemblies which have been tampered with. You would have to distribute your own key/certificate to your users and have them install them. There is no third-party system in place to handle this.
Authenticode (ie: Verisign, etc) costs money for the third party certification but allows for the entire process to be nicely shrink-wrapped and identifies you as a known publisher.
Still, users would still see that dialog box with default UAC settings even with a Verisign certificate (at least the first time) - it would simply identify who it came from (Known publisher, name, etc). They would, however, get the option to "Always trust" from your publisher (which you do not get as an 'unknown publisher').