Suppose an update is rolled out in app stores, and many people update to it. Suppose this new version contains surveillance instead of matching the published/reviewed code. Won't there be some substantial period of time during which many messages can be stolen before somebody eventually goes on twitter to say "hmm, wireshark shows more data than I'd expect" and/or "hmm, I can't get the source to build quite like the store's new apk"?

Then we're screwed. All mainstream applications running on modern general purpose computers are vulnerable to this.

You don't like that? Stop busting their balls and produce an alternative operating system and application update framework which is not vulnerable.

That means the end to end encryption (if you verify your identities) works. It says nothing about how much meta data Signal collects.

We know exactly how much metadata can be collected. You can just look at how the official client works. You can reverse engineer what the server has to do. This not a matter of uncertainty. Signal doesn't mention the collection of the push messaging device IDs explicitly. But that ID doesn't yield a government level adversary any advantage that they don't already have from knowing the phone number, so it doesn't matter. Contact intersection can be logged, then pre-imaged. We can't know. But we already know it can because we know how the clients work. That's it.

Signal doesn't claim cryptographic security against that metadata collection, but then there isn't currently any working system that can make such a claim, so why bust their balls over it?

That is at least an indication, but unfortunately not a proof. They could run modified versions on their servers, if they wanted.

No, it simply does not matter what modified version of their server they run. We know what the clients do, and we know what the servers can log. This is a fact as sure as day follows night, and that an apple will fall to the ground when dropped. It isn't even debatable. Your comment is incorrect, full stop.