Originally Posted by pinecones
what is having the signature checked and by what system? is the recovery tool verifying the signature of the WIM file it's deploying? will the recovery media not boot because the media is modified?
will the recovery media creation tool not create bootable media if the WIM file it's using doesn't have a matching signature?
Each component in the startup process validates the signatures of the next component. If the signature is not made by a known authority, the next component is discarded and the startup process terminates.
Whether or not the recovery media verifies the signatures in the WIM file is irrelevant - once extracted, the firmware won't load an improperly signed bootloader, and since the only signed bootloader we have is the Windows bootloader, it won't load an improperly signed kernel.
The only way the recovery image creator could help is if we had a way around Secure Boot, which we don't. (If we did, the recovery image creator wouldn't be necessary in the first place - you'd just drop the desired OS on the machine through whatever method was necessary, probably an installer of some form, and be done with it.)