Signal doesn't. They give you a hash not a signature. I.e. if you have control iver their site, you can push a malicious signal application and change the hash.
This is false. The Signal APK is signed with the same signature as the APK on Google Play. If the signature was different then Android would not allow me to overwrite/update my Google Play Signal installation with the APK that I just downloaded from that site.
On Android, APKs are almost always signed by default (even if they're only self-signed).
