the sig file is not necessary - you would need the linuxXX-virtualbox-host-modules as well - or use dkms and the linuxXX headers.
But it is a must - very important - that all packages align with the system.
There a lot a methods you can use to ensure it - you can even create a copy of the relevant repo at any given time and use this for your local maintenance.
Just search for keywords local manjaro mirror