Blogging this because it took far too long to figure out and because the documentation is spread across too many pages and isn't at all clear.
Generate some signing keys.
Answer some questions. The resulting FILENAME.keystore file must be kept private. This generates a key that's valid for at least 1000 days.