For an update to be accepted by a stock recovery, it must pass a "whole-file signature verification".
Manufacturers use a private key to sign the build and include a corresponding public key in the device's recovery partition. update-signed.zip
An is a compressed archive containing the files necessary to update an Android system, along with a cryptographic signature that verifies the file's integrity and origin. For an update to be accepted by a