To me the nomenclature is a bit frustrating. I prefer the terms output script and input script. The scriptPubKey and scriptSig fields are scripts, they don't have to contain a pubkey, a signature, etc. The reason they were named this way is because
normally the output script contains a public key which 'locks' the funds, and the input script contains a signature (or a signature and public key - it depends, will get to that in a sec) which verifies against the previous output scripts public key. It indicates the type of that that will be included, but it doesn't necessarily have to be that way.
I'm actually a bit confused about your example transaction, because public keys don't start with 90. What you've found is a transaction that spends newly mined coins
https://www.blocktrail.com/BTC/tx/f5d8ee39a430901c91a5917b9f2dc19d6d1a0e9cea205b009ca73dd04470b9a6You can see on that page, that the output script is this:
This type of output script is known as a pay-to-pubkey script - there is no pubkey hash here, and that's because addresses weren't always used on the network. Pay-to-pubkey-hash preserves the privacy of the recipient, because the public key is revealed known, and the recipient address is shorter than a public key.
So looking at the transaction you specifically refered to in your post:
https://www.blocktrail.com/BTC/tx/5a4ebf66822b0b2d56bd9dc64ece0bc38ee7844a23ff1d7320a88c5fdb2ad3e2 which spends these newly mined coins:
The only input spends the mined coins. Look at the input script here - there is only one field, the signature. This is what confused me, because you said there was a public key there
The client will execute [scriptSig] [scriptPubKey], so your script runs like this: [sig] [pubkey] OP_CHECKSIG - since sig and pubkey are supplied as input to OP_CHECKSIG.
Now look that your transactions output script. It's different to the that of the mined coins, it looks like:
OP_DUP OP_HASH160 404371705fa9bd789a2fcd52d2c580b65d35549d OP_EQUALVERIFY OP_CHECKSIG
That's very different to the first transaction - it's no longer pay-to-pubkey, but pay-to-pubkey-hash. There is no public key revealed, but instead the public key now needs to be included in the input script.
[scriptSig] [scriptPubKey]
[sig pubkey] [OP_DUP OP_HASH160 hash OP_EQUALVERIFY OP_CHECKSIG]
... several steps pass while sig, pubkey are pushed, the pubkey is duplicated, the new one converted to it's hash, confirmed to match the hash, and the hashes removed then.
sig pubkey OP_CHECKSIG
This last step is the same as a pay-to-pubkey transaction to the client, except this time the public key is provided in the scriptSig instead of the scriptPubKey. The naming gets annoying, doesn't it
Previous Tx f5d8ee39a430901c91a5917b9f2dc19d6d1a0e9cea205b009ca73dd04470b9a6
- Owners public key: 04283338ffd784c198147f99aed2cc16709c90b1522e3b3637b312a6f9130e0eda7081e373a96d3
6be319710cd5c134aaffba81ff08650d7de8af332fe4d8cde20 (located in output script)
- Owners public key hash: not known! the public key is already known by the time the recipient has his funds.
Your Tx 5a4ebf66822b0b2d56bd9dc64ece0bc38ee7844a23ff1d7320a88c5fdb2ad3e2
- Owners public key: 04d4fb35c2cdb822644f1057e9bd07e3d3b0a36702662327ef4eb799eb219856d0fd884fce43082
b73424a3293837c5f94a478f7bc4ec4da82bfb7e0b43fb218cc
not known until the user spends from this address - Owners public key hash: 404371705fa9bd789a2fcd52d2c580b65d35549d