I generally recommend
Learnmeabitcoin as a resource for introduction to more technical topics.
In the article I linked to, they explain how
scriptPubKey is the locking script.
There are different possible script types, but the most common nowadays is P2PKH. It can be unlocked by providing the original public key and correct signature (
this tuple is the scriptSig).
OP_DUP OP_HASH160 fde0a08625e327ba400644ad62d5c571d2eec3de OP_EQUALVERIFY OP_CHECKSIG
In short: The 'opcodes added' duplicate the public key, perform the hash160. The result lies on the stack. Then, the script pushes the (hardcoded into the transaction) public key hash to the stack and verify that these 2 public key hashes match. Finally, the signature is matched against the public key.
More information about
P2PKH here.
As you asked: 'What do you sign?' -- you sign the whole transaction.
More about
transactions here.