A digital signature on an electronic document or other object is created by using a form of cryptography and is equivalent to a personal signature on a written document.
A digital signature provides proof of the object's origin and a means by which to verify the object's integrity. A digital certificate owner "signs" an object by using the certificate's private key. The recipient of the object uses the certificate's corresponding public key to decrypt the signature, which verifies the integrity of the signed object and verifies the sender as the source.
A Certificate Authority (CA) signs certificates that it issues. This signature consists of a data string that is encrypted with the Certificate Authority's private key. Any user can then verify the signature on the certificate by using the Certificate Authority's public key to decrypt the signature.
A digital signature is an electronic signature that you or an application creates on an object by using a digital certificate's private key. The digital signature on an object provides a unique electronic binding of the identity of the signer (the owner of the signing key) to the origin of the object. When you access an object that contains a digital signature, you can verify the signature on the object to verify the source of the object as valid (for example, that an application you are downloading actually comes from an authorized source such as IBM®). This verification process also allows you to determine whether there have been any unauthorized changes to the object since it was signed.
An example of how a digital signature works
A software developer has created an i5/OS™ application that he wants to distribute over the Internet as a convenient and cost-effective measure for his customers. However, he knows that customers are justifiably concerned about downloading programs over the Internet due to the increasing problem of objects that masquerade as legitimate programs but really contain harmful programs, such as viruses.
Consequently, he decides to digitally sign the application so that his customers can verify that his company is the legitimate source of the application. He uses the private key from a digital certificate that he has obtained from a well-known public Certificate Authority to sign the application. He then makes it available for his customers to download. As part of the download package he includes a copy of the digital certificate that he used to sign the object. When a customer downloads the application package, the customer can use the certificate's public key to verify the signature on the application. This process allows the customer to identify and verify the of the application, as well as ensure that the contents of the application object has not been altered since it was signed.