[plug] How does "signing" work?

[Derek Fountain]

For months now I've read statements like this one from LWN:

"there appears to be no legal impediment that can prevent systems vendors from 
requiring kernels to be signed by a private key before they can be run"

I normally think "er, right" and move on. Today it occurred to me to wonder 
exactly what the process for "signing" something is.

What actually happens, say on a step by step basis, to enforce this "signing" 
enforcement? What technology actually prevents me from running an unsigned 
kernel (or whatever) if I want to?

-- 
"...our desktop is falling behind stability-wise and feature wise to KDE 
...when I went to Mexico in December to the facility where we launched gnome, 
they had all switched to KDE3." - Miguel de Icaza, March 2003