How do "Pay to Script Hash" transactions work?

Question

BIP16 gives the following example to explain "Pay to Script Hash":

scriptSig:    [signature] {[pubkey] OP_CHECKSIG}
scriptPubKey: OP_HASH160 [20-byte-hash of {[pubkey] OP_CHECKSIG} ] OP_EQUAL

But I don't get what's happening here. I've tried executing the script on paper (and assumed the parts in squared/curly brackets are treated as constants):

1. [signature] and {[pubkey] OP_CHECKSIG} are pushed onto the stack
2. OP_HASH160 hashes {[pubkey] OP_CHECKSIG}
3. The same hash comes from the scriptPubKey onto the stack
4. Consequently OP_EQUAL gives True
5. The [signature] is not checked at all!

If the {[pubkey] OP_CHECKSIG} is executed, the scriptSig would only give True, which makes even less sense.

To frame a clear question: How do "Pay to Script Hash" scripts work, especially this example case?

Answer 1

You're correct so far, you just stopped before you were finished. As BIP16 says, it "defines additional validation rules that apply only to the new transactions" -- specifically, "{serialized script} is popped off the initial stack, and the transaction is validated again using the popped stack and the deserialized script as the scriptPubKey."

So:

1) The script is popped off the stack, leaving only [signature] on the stack.

2) The deserialized script is added, leaving [signature] [pubkey] OP_CHECKSIG.

2) The transaction is validated again, that is, a normal signature verification occurs against the specified public key.