Signal security theater
If this is your first install why would you trust a fingerprint sitting just next to the apk?
Meanwhile Signal PGP keys are nowhere to be found
Discussion
This happens everywhere, like those people who put fingerprints of stuff on GitHub just next to the binary for download. Is it just some good practice that some made sense in the HTTP times and now people can't let go?