The steps below assume you have an old key to "chain-sign" with, e.g. when the old key is about to expire. If you are just creating a brand new key pair to sign binaries with, you can ignore the chain signing steps.
- In Kleopatra, go to File -> New OpenPGP Key Pair
- Fill in Name and e-mail address, and check "protect with a passphrase".
- Click "Advanced settings" and choose your algo (recommended to use ECDSA and using ed25519/cv25519, but you can also use RSA with 3072bits or larger)
- Make sure you check "signing" under certificate usage, and set an expiry date you want (or no expiry if you're going to be super diligent about safe storage).
- Click OK, the OK again, and enter your passphrase (twice). After this, you will have a new key pair that is certified.
- To "chain sign" (sign the new key with your old one), right-click on the new key pair entry in Kleopatra, select "Certify..."
- In the dialog that opens, at "Certify with:" select the old key you want to sign with. Under "Advanced" you can double-check if it is set to "certify for everyone to see (exportable)" and "publish on key server". Do not check "certify as trusted invoker" or setting an expiration date.
- If it asks you an extra confirmation because "you haven't certified all valid user IDs", just confirm with "export" - confirm again at the warning that once published it's almost impossible to revoke your signature (it's what you want!).
- The signing process and publishing on keyserver will now happen. Kleopatra does not give feedback while this happens so just be patient. it can take some time. When done, it will tell you with a small dialog.