I know it's bad form to actually answere your own question, but since there seem to be little "hands on" examples for this under Delphi, I decided to post what I found here to help others.
Security, certificates and signatures is a massive and complex topic which requires serious study, so forgive me for the simplicity of this post. It is only meant to point people in the right direction.
Signing XML, what does it mean?
In very simple, hands-on terms this is what happens:
- You generate a HASH of your XML document (MD5 for instance, or SHA1)
- You encrypt this HASH using the private key, either generated by yourself or provided/derived by your certificate
- A new XML node (DSIG signature) is inserted into the document which contains the encrypted hash (and more)
In order to verify that an XML document has not been tampered with, the reader must use the public key to decode the HASH value. So the reader-software must generate a hash of the same document (minus the appended XML) and compare that to the (decrypted) value embedded in the document. If these match, then we know the document is intact. And it will only match if you use a valid key to decrypt the appended hash.
Since this is tedious work (and it includes quite a few steps, like looking up providers in the keystore [in my case] and much, much more) I ended up buying ready-made VCL components from ELDOS (SecureBlackBox) which saved me a lot of time.
External references