How are detached signatures used to verify a file's integrity and authenticity?

I understand that the detached signature is generated by the signer's private key and that you use the signer's public key to verify the downloaded file.

e.g.

gpg --verify package_name.asc

The signature is verified by using the signer's public key, but how does gpg know that the signature belongs to the package downloaded? Am I missing something?


Finding the File for a Detached Signature

gpg will automatically verify detached signatures against the same file name, without .asc or .sig enxtension. From man gpg:

--verify
  Assume  that  the first argument is a signed file or a detached signature and
  verify it without generating any output. With  no  arguments,  the  signature
  packet  is  read from STDIN. If only a sigfile is given, it may be a complete
  signature or a detached signature, in which case the signed stuff is expected
  in a file without the ".sig" or ".asc" extension.  With more than 1 argument,
  the first should be a detached signature and  the  remaining  files  are  the
  signed  stuff.  To  read  the  signed stuff from STDIN, use '-' as the second
  filename.  For security reasons a detached signature cannot read  the  signed
  material from STDIN without denoting it in the above way.

Thus, gpg --verify package_name.asc expects the signed file to be available as package_name. If it isn't (or at another location), also give the path to this file:

gpg --verify detached_siganture.asc signed_file

Is it the Right File?

OpenPGP does not expect the file name (or any other identifier) to be stored in the signature. But: the signature is the hash sum of the signed file, encrypted with the signer's private key, so it can be decrypted with his public key. If the decrypted hash sum does not match the one of the file used to verify against, you know the file isn't the same that was signed (but cannot tell whether it is the wrong file because of selecting the wrong, or it was tampered).