Any released device with a stock recovery from the OEM does not have or recognise the public key corresponding to the 'test' private key. Even if the build hasn't been explicitly signed, the test-signing is implicit. , root packages or custom ROMs, use the publicly known AOSP (Android Open Source Project) private keys for signing the deployment build.
This is a 'release' key, and the only type of a key a stock recovery will recognize using its corresponding public key when asked to 'Install Update from SD Card'. a stock OTA zip, use a private key specific to the OEM for signing the build. It's in the cryptographic keys used to sign the deployment builds, or the zips in this case. So what is the difference between the 'signed' and allegedly 'unsigned' packages?
They can be stock OTA zips, root packages or even custom recovery or ROM zips.