I just wanted to add one little bit to tacit's explanation of signing. It's necessary for the public key of the signature to already be in your system or user keychains as a trusted source. It is the 'root' (aka 'root certificate') from which signatures can be verified.
If you receive something like a java applet on a web page that is signed using a key that is not in any of your keychains, the verification will NOT occur transparently, and you should get a popup saying it's signed by an untrusted source, do you want to run it anyway?
The public key itself in the signature isn't used to generate the verification hash. The public key is specified in the signature by "name" so to speak, and that is looked up in your keychain, to insure you are using the public key cryptography data from your keychain, not just whatever happens to be in the signature. The signature has the crypto in it, it's just not used. Unless you tell it to run anyway and "always trust", at which point it's imported into your keychain for later automatic use.
Security settings in latter OS X can be set to more "strict", such that they don't allow running of software that isn't signed, or is signed by something not in your keychain. (there's no "run it anyway / always trust this signature" option given when you access it)
