Transaction do not need to be signed. They are if the locking script requires so, which is the most usual thing, but scripts redeemable without a signature can also be valid.
That being said, a transaction redeeming from a script that does not requires a signature could be highly insecure, since a peer (or a miner) that receives so can easily change the output.