With RSA, signing is the same as encrypting, it is just you encrypt with the private key and decrypt with the public key. As it is implemented in cryptosystems, you take a hash value of the message to sign, then you encrypt the hash with the private key to get the signature. Then to verify the signature, the verifier takes the hash of the message, then they decrypt the signature with the public key and compare it to the hash value. In addition to only operating on hash values, I believe you also need to use padding for it to be secure. Also, you need to make sure to use constant time comparisons in order to protect from timing attacks. However, the abundance of small (and highly important) details aside, at a core level, sign/verify is the same thing as encrypt/decrypt, just with the utilized keys reversed. Of course you don't need to know any of this to use GPG, because they package it all up for you. But you were technically pretty much correct at a low level, just not from the high level perspective of using GPG to create and verify RSA signatures (in which case it is not the same thing as encrypt/decrypt, but rather is sign and verify).