In short: to be able to verify whether the applet has really been approved
by the one who claims to have approved it.

If you are surfing the web and you want to execute an applet, you want to be
sure the applet has been approved by a person/company you trust (unless you
like virusses etc). In order to realize this, the applet is signed by its
publisher (person/company).

The publisher has two keys: a (secret) private key and a public key. The
first one is kept secret, the latter one is known to everybody who wants to
know it (it can be found in a public directory of (public) keys, like a
phone book).

So the publisher wants to sign its applet. In the first stage, he uses a
hash function (http://en.wikipedia.org/wiki/Hash_function) to get a
relatively short array of bits that corresponds to the applet: the hashcode
of the applet. Then the publisher encrypts that hashcode using his private
key. Now the applet has been signed (so the signature is the encrypted
hashcode).

If a person wants to verify whether an applet has been really signed by the
publisher and not by some spoofer, he only has te decrypt the (attached)
signature using the publisher's public key. Then he calculates the hashcode
of the applet. If  the decrypted signature and the calculated hashcode
match, the person knows that the applet has been signed by the publisher.
Since it's very difficult to calculate the signature without the private
key, the person can be quite sure the applet has been approved by the
publisher.

Notice that if the applet is altered by a third party, its hashcode changes
and the signature is not longer valid.

Hi,

Normally, applets are executed in a sandbox that e.g. prevents them from
accessing the local hard disk. A signed applet however is allowed to
leave the sandbox. The user must decide if he trusts the certificate, of
course...

Ciao,
Ingo

see http://mindprod.com/jgloss/applets.html
http://mindprod.com/jgloss/signedapplets.html