RSA would be too slow to be used to sign an entire message. Remember that signing is merely encrypting with the private key. Instead, PGP generates a ``cryptographic hash'' of the message with a function called MD5 and that hash is then signed. MD5 (Message Digest version 5) is a function which takes an arbitrary amount of data and generates a 128-bit number. It is believed to be extremely difficult to find two different messages with the same hash, and even more difficult to generate a message with a specified hash value --- that of a particular message, for instance. Note that we can now provide integrity. If it is difficult to generate another message with the same MD5 hash as a prototype message, then it is difficult to replace that prototypical message with a forgery and not be detected.