there is something I am missing in understanding of digital signatures and was hoping someone could clear it up for me.
A digital signature is to verify something has not been modified and came from a person.
So say I somehow intercepted an xml file with a signature on it. I rip the signature out, then make some edits to the file. Then I generate a new signature for this file, and send it to who it was going to. They check the reference and yep it checks out. The file was not tampered with. But it was, only the signature was also tampered with. This must not be possible, so, what gigantic piece am I missing in this puzzle?
If the recipient would accept the document signed by anyone, then your approach would work. But the signature is usually used in conjunction with some other identification data, which makes replacing a signature meaningless.
Eg. when the user sends the signed report to the tax office, the report contains his name and the signature must contain his name. And this signature proves that John Doe has authorized or composed this report himself. If you replace the signature, it will contain your name, and the recipient of the report would compare the name in the report and the signature and reject the document.
Another example is SSL authentication of the server. The server presents the signed certificate that contains the domain name or IP address of the server (the procedure is more complicated, and I am omitting the details here). The client compares the data in the certificate with the address it connected to, and decides if he can trust the server or not.