Thanks to the folks at ARX - developers of Cosign - for an excellent FAQ page on all things electronic signature. This post contains content copied from their FAQ on how digital signatures work:
Meet Bob and Alice.
Step 1: Getting a Private and Public Key
In order to digitally sign a document, Bob needs to obtain a private and public key, which is a one-time process.The private key, as the name implies, is not shared and is used only by the signer. The public key is openly available and used by those that need to validate the signer's digital signature.
Initiate the signing process - Depending on the software used, Bob needs to initiate the signing process (e.g., by clicking a "Sign" button on the software's toolbar).
Create a digital signature - A unique digital fingerprint of the document (sometimes called a message digest or document hash) is created using a mathematical algorithm (such as SHA-1). Even the slightest difference between two documents would create a separate digital fingerprint of each.
Append the signature to the document - The hash result and the user's digital certificate (which includes the user's public key) are combined into a digital signature (by using the user's private key to encrypt the document hash). The resulting signature is unique to both the document and the user. Finally, the digital signature is appended to the document.
Bob sends the signed document to Alice. Alice uses Bob's public key (which is included in the digital certificate) to authenticate Bob's signature and to ensure that no changes were made to the document after it was signed.
Validating a Digital Signature
Initiate the validation process- Depending on the software used, Alice needs to initiate the validation process (e.g., by clicking a "Validate Signature" menu option button on the software's toolbar).
Decrypt the digital signature -Using Bob's public key, Alice decrypts his digital signature and receives the original document (the document fingerprint).
Compares the document fingerprint with her calculated one - Alice's software then calculates the document hash of the received document and compares it with the original document hash (from the previous step). If they are the same, the signed document has not been altered.
There is yet another factor involved. How can Alice know whether Bob is indeed the same person she intends to conduct business with? Bob needs to be certified by a trusted third party that knows him and can verify that he is indeed who he claims to be. These trusted third parties are called Certificate Authorities (CA). They issue certificates to ensure the authenticity of the signer. Certificates can be compared to passports issued by countries to their citizens for world travel. When a traveler arrives at a foreign country, there is no practical way to authenticate the traveler's identity. Instead, the immigration policy is to trust the passport issuer (in PKI terminology, this is the CA) and use the passport to authenticate its holder in the same way that Alice uses the CA's certificate for authenticating Bob's identity.