I once came across a similar "solution". The signing algorithm was directly executed from the update package. How would we otherwise be able to update the signature algorithm? Worst part was that it was correct at some point. It was an introduced regression because of a signature change due to " post-quantum safe" signatures now being required by the security team.