I neglected to mention that the first time you install Signal it should come from a trusted source (e.g. copy it from someone who is happy to use the play store), then updating via apkmirror is safe, since the signatures will match.
I've heard people recommend Raccoon in the past but my phone is something so vital that makes me worried about stuff breaking (the combination of using a lot of 3rd party parts like MicroG, Racoon, apkmirror, ...).
I wonder if it's possible to dual boot without root and also keeping encryption on, that way I can have a safe option if anything breaks.
Damn, why is it so hard to have control over your things these days. It wears me down.
Also this might be useful a desktop play store client: http://www.onyxbits.de/raccoon