If the hacker controls the computer there's nothing stopping them from replacing anything on the computer including the bios, necessary system files, etc.
The update signing prevent malicious updates from being installed. It doesn't prevent hackers from compromising your or your customer's computers from other methods and altering the computer.