Produce detatched signature for setup executable using new and old keys
This is slightly fraught: If we don't specify a digest preference, sha1
will be used with both keys, which we don't want. Even if we do specify
a digest preference, sha1 is still used for DSA, and gpg won't verify
all the signatures, if they don't use the same hash algorithm (See [1]).
So specify dsa2 as well, to allow sha256 to be used in both signatures.