Okay, I did that too, and the secret is that the scriptSig is entirely removed and replaced with the scriptPubKey from the source (old) transaction. I'm still a little confused about how this works in the source.
VerifyScript() doesn't actually concatenate the two scripts. It runs scriptSig, and that leaves stuff on the stack, then it runs the old scriptPubKey with the stack left by scriptSig. The only connection is the stack. So when we run the scriptPubKey, which holds the OP_CHECKSIG, the "current script" is just that, the old scriptPubKey. This is the script which gets OP_CODESEPARATOR stripped and then put in place of the scriptSig, for hashing.
Yes, I believe you are correct. I added a few more lines to the official client to print out the actual transaction, the hash of the actual transaction, and the hash of the tmpTx.
What I found out is that my OP_CHECKSIG code is
now correct, and I get the same hash of tmpTx. So now I have narrowed my problem down to my signature verification code. I believe dirtyfilthy said his wasn't working either, and we are both using the same classes/methods for our signature verification. [mike], however, is doing it a different way, of which I think it was implied to be working correctly for him.
So, [mike]...would you be able to help us out a little bit, here??