Now, scriptSig contains a signature and a public key. My first question: this is the recepient's public key, right?
To be clear, let's take an example:
You own the address 1Q2GpwLudfcNi9agitQPYa4y1rNZgnrC1d
Yesterday you receive 1BTC:
http://blockexplorer.com/tx/4f6f864d3047bf441317fc0f5d1586325c9e740e923c7949cc28333ff74d19df#o1If you want to use that BTC, for example if you want to send me it, your new transaction will be:
1TxIn: hash=4f6f864d, index=1, scriptSig= Sig + your pubkey(0457d7d7af586aaad529b5770bb43295051e7090e2bc884181d608dae2517c7812b25e326753cbe
0b767f579bbcb5cffe492d22b93f2ff5501074eb9e8f8547c4a)
1TxOut: OP_DUP OP_HASH160 5c3f294acb5059a968c4a35700b5432a7397002b(ie the Hash160 of my pubkey) OP_EQUALVERIFY OP_CHECKSIG
Second question: the hash there (4043...) is recepient's address, which is simply SHA256^2(recipient's pub key). Is that correct?
No, it's ripemd160(sha256(recipient's pubkey))
What I don't get is how the signature is checked? How does the client retrieve the sender's public key?
It retrieves when the recipient claim the coins: in the exemple below, when you sent me the coin you had to put your pubkey in scriptSig
EDIT: was going to reply but jackjack will give a far better answer than I could
Will
Not necessarily, if I missed something please post