Bitcoin - used PKI to download it. Now Bitcoin is reproducibly buildable, so you can read the forum to see if any zealots notice different hashes (which they certainly would unless you are personally being targeted in testing out the software). Make some small transactions to see if it works.

Bitmessage - downloaded it a few days after the initial release. Sent a message over Bitmessage to the Bitmessage author. Got one back from the author.

Tor - trust that the directory servers are doing their jobs.

Signal - haven't used it but if I did I'll piggy-back on phone numbers to message people I already know.

git - used PKI to initially grab the code, trust my own dev machine as I've made commits, occasionally posted commit hashes over various secure/insecure mediums for various reasons (may have done this in person wrt a bug, can't remember).

Notice that in all these cases, trying out the software (at least in the U.S.) does not at all imply that you trust it. You could practice installing Tor 20 different times, on 20 different untrustworthy Windows machines and simply use it to search for cat pictures. Then, the 21st time, you could take all kinds of precautions and build a special box just for running Tor, armed with all the first-hand knowledge about how it works and what its trade-offs are.

I can also completely fuck up something in git and get so frustrated I just clone it again from the repo I don't have to trust because I just check the hashes and go on working.

Requiring physical proximity and a formal key exchange before I can even use the software simply cannot work IMO. It a) requires special planning, coincidence, or proselytization to try out a working version of the app, b) it balloons the length of the engineering cycles and makes it hard to just start over, c) the reliance on in-person meeting implies a level of trust between you, your keys, and your smartphones that neither party should take for granted.

Also, it doesn't scale.