With everyone 'DeGoogling' Android apps are being installed more and more from simple website downloads. This is much less safe than using Google Play (or F-Droid). In order to add some safety websites often publish a SHA256 hash of their signing certificate so users can verify the file they downloaded hasn't been intercepted in transit and replaced with something containing malicious code.
See the Signal web download page:Signal APK download page
The verify link here sends users to developer.android.com/studio/command-line/apksigner where there are instructions on using the command-line tool apksigner to verify the integrity of the downloaded .apk. Signature makes that verification easier, users can download apps from websites straight to their Android devices and verify the .apk before installing.Download Signature