The math that makes public key encryption work also makes digital signatures secure. Short version, using random numbers, you make a pair of related keys, a public key (pk) and a private (secret) key (sk). You are the only person with secret key. There is a set of mathematical formulas that encrypt and decrypt. To send someone an encrypted message, yout take their public key and encrypt the message with an ENCRYPTING algorithm. ENCRYPT(MESSAGE, pk) → SECRET_MESSAGE. Unless you know the private key, you cannot decrypt the message. To read the message, use the DECRYPTING algorithm, DECRYPT(SECRET_MESSAGE, sk) → MESSAGE. Now, with this in mind, suppose I want to prove a message is from me. I can do a clever trick. I can DECRYPT (!) a message with my private key to make an enciphered public message. DECRYPT (MESSAGE, sk) → PUBLIC_MESSAGE Anyone with my public key can read this message by “encrypting” it with my public key. ENCRYPT (PUBLIC_MESSAGE, pk) → MESSAGE Now, since only my public key will produce the message when running the encryption algorithm, you can be assured it was from me! The problem here is that nobody can read the message without using the key, despite the fact that it is a public message. So, instead of enciphering the entire message, we do a trick. We run a Cryptographic hash function (sometimes called a digest) on the message to produce a fixed-length binary value that represents the message. In general, it is VERY difficult, nearly impossible, to produce two messages that result in the same hash value. It is impossible to have two intelligible messages with the same hash. The probability is so low that a message that produces an identical hash is considered identical. Now, we can produce the PUBLIC_MESSAGE and it’s digest, PUBLIC_MESSAGE_HASH. The signature gets created by running DECRYPT(PUBLIC_MESSAGE_HASH, sk) → SIGNATURE. The enciphered signature is readily exposed along with the message. Now, anyone can run ENCRYPT (SIGNATURE, pk) → PUBLIC_MESSAGE_HASH. Given the PUBLIC_MESSAGE, SIGNATURE, and the public key (pk), the receiver can calculate the digest of PUBLIC_MESSAGE and compare it to the derived PUBLIC_MESSAGE_HASH extracted from the signature. If t match, t know for sure that the message is authentic, untampered, and sent by the holder of the secret key (sk) associated with the public key (pk) of the purported sender.
Troubleshooting the Problem The problem in this section is that the public keys are not exactly the same as the private keys. The public secret key might actually have many names. Now, if I wanted to prove a message is from me, I could create a fake PUBLIC_MESSAGE and create a message that would prove it. When the messages are run on my computer, the public key (pk) and private key (SK) will not agree. This is because each key will be associated with a different message. For example, it doesn't always produce PGP messages with the same signature. The public key will be used to encrypt, and the private key (SK) will be used to decrypt. When you see a signed message, you can verify whether it was signed by the owner of PGP with a public key, or by the private key associated with SK. So, I.