How can you digitally sign a file that gets created when an update check is done, answer you can't and I would have though that privatefirewall would know that. I somehow doubt that digital signing has anything to do with privatefirewalls blocking, so blocking/asking about a new foreign program is fine, but to my mind the digital signature is a big red herring.
The avast.setup file is I believe created from the setup.ovr file in the setup folder to manage the update process. Strange that my firewall has no problem with this creation.
For the most part this creation of the avast.setup file will be the same as the last version but there are times when it will have changed and only then should a firewall pipe up and you allow it and check any remember this decision, etc...