How is it possible, that Signal still only provides a .deb package and no .rpm, or even better AppImage or Flatpak? There is an unofficial Flatpak but is it secure?
Could always do what looks like the Arch AUR package is doing and build it yourself from source. Or if you are running a Fedora/OpenSuse distro you could find a package on COPR or something that converts a package from a .deb to .rpm and just change source and stuff to match signal.
Building from source is the opposite of hacky. It's the recommended way to deal with things like this where you are concerned about trust and security. I understand that it's not something you've done before, but it not as complicated as it sounds. There are many tutorials on how to build programs from source.
I understand that providing official packages for fedora/rhel, Ubuntu/debian, and arch-based distro packages along with a flatpack and Appimage would make a lot of sense, but for whatever reason, signal has decided not to. Perhaps you can message the signal team to ask why they choose not to do this.
Sometimes it comes down to support. For every distro specific format you build and package for, the more you need to do with every release (and need the proper config and to be comfortable packaging for each).