You can setup a fully automated signing as part of your builds with no entry of any passwords. This can be done for regular PB as well as PS applications. It is done via a command file (batch file).
we use usb tokens, but the same can apply to key vaults. key vaults tend to have a max # of signings, we sometimes do multiple daily builds and we have about 7 exe's that get signed, not including the powerserver stuff. So for us it made more sense to use the token. If you are just doing an occasional build and only have a few exes, then i would probably do more of a manual signing.
We use the EV token (used to use the standard one). I think the EV is worth using if you are deploying a powerserver application - otherwise you get the browser warnings when you download the PS launcher.
We use Comodo. The process of getting verified can take a while. code signing certs are expensive now.
the PS help is pretty good on giving you how to setup a command file. i wish i had it before going through the process of searching stack overflow on how to get it to work.
https://docs.appeon.com/ps2022r3/Security_page.html#Signing
How to setup a hardware token to sign without having to enter a password:
https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken
this is not the case, well it sort of is the case. You use an external command file to sign.