Unfortunately, this is the world Signal lives in. For binary debian packages to be installed securely directly from a vendor requires the installation of gpg keys which is what 2 of the 3 commands are regarding. If Ubuntu had spent resources to develop a convenient way for developers to directly provide binaries to the users of their OS instead of developing a system where they are gatekeepers and distribute all packages Signal would now be able to provide an easier secure method of installation. If you were providing a privacy focused product which in some uses that privacy can be the difference between life and death, would you want to turn over supply chain protection of that product to a 3rd party?
What made you think they'd be willing to compile from untrusted sources?
There are a lot of users that prefer the established trust model of a Linux distribution.
They're willing to trust the mostly unpaid debian maintainers for example... but not John Doe, the temporarily set back billionaire who's just about to make it big
I’m a developer too. Currently job title “senior enterprise systems engineer”. It would take me much longer than that to ensure the code is ok. Additionally without modelling the code (and proving it correct) in something like COQ, you will never understand the calculus of inductive constructions behind the code and have no guarantees as to its correctness.
