Having Trouble with Improperly Signed Update

Hi

I'm having an issue where sparkle keeps saying I have an improperly signed update, I've been playing with for a week now and getting nowhere so thought I'd throw a question up here and see if anybody can spot something obvious that i'm doing wrong.

My script below (the links in the script are invalid as i took down the files after testing) is borrowed and altered slighly from several on the web and seem to work fine in that it generates my DMG and the item listing for my appcast with a signature.

As per the sparkle documentation I report the size as the size of the app not the DMG file although I've done both while trying to get this work to no avail.

Any help gratefully received, is there something obviously wrong with this? I've looked at some of the similar questions to my own and can't find the answer.

set -o errexit

[ $BUILD_STYLE = Release ] || { echo Distribution target requires "'Release'" build style; false; }

VERSION=$(defaults read "$BUILT_PRODUCTS_DIR/$PROJECT_NAME.app/Contents/Info" CFBundleVersion)
VERSION_STRING=$(defaults read "$BUILT_PRODUCTS_DIR/$PROJECT_NAME.app/Contents/Info" CFBundleShortVersionString)

DOWNLOAD_BASE_URL="http://battlegrowl.googlecode.com/files"
RELEASENOTES_URL="http://battlegrowl.googlecode.com/files/ReleaseNotes.html"

DMG_FILENAME="$PROJECT_NAME-$VERSION.dmg"
APPCAST_ITEM_TRAILER="-Appcast-Item.xml"
APPCAST_ITEM_FILENAME="$PROJECT_NAME-$VERSION$APPCAST_ITEM_TRAILER"
DOWNLOAD_URL="$DOWNLOAD_BASE_URL/$DMG_FILENAME"
KEYCHAIN_PRIVKEY_NAME="Mechalogical Labs Private Key"
TMP_IMAGE_DIR="$TEMP_FILES_DIR/tmpimagedir"

WD=$PWD
cd "$BUILT_PRODUCTS_DIR"
rm -f "$PROJECT_NAME"*.dmg
rm -f *"$APPCAST_ITEM_TRAILER"
rm -rf "$TMP_IMAGE_DIR"
mkdir "$TMP_IMAGE_DIR"
cp -R "$BUILT_PRODUCTS_DIR/$PROJECT_NAME.app" "$TMP_IMAGE_DIR"
rm -f "$dmg"
hdiutil create -srcfolder "$TMP_IMAGE_DIR" -volname "$PROJECT_NAME" "$DMG_FILENAME"
hdiutil internet-enable -yes "$DMG_FILENAME"
rm -rf "$TMP_IMAGE_DIR"

SIZE=$(stat -f %z "$BUILT_PRODUCTS_DIR/$PROJECT_NAME.app")
PUBDATE=$(date +"%a, %d %b %G %T %z")

SIGNATURE=$(
 openssl dgst -sha1 -binary < "$DMG_FILENAME" \
 | openssl dgst -dss1 -sign <(security find-generic-password -g -s "$KEYCHAIN_PRIVKEY_NAME" 2>&1 1>/dev/null | perl -pe '($_) = /"(.+)"/; s/\\012/\n/g' | perl -MXML::LibXML -e 'print XML::LibXML->new()->parse_file("-")->findvalue(q(//string[preceding-sibling::key[1] = "NOTE"]))') \
 | openssl enc -base64
)

[ $SIGNATURE ] || { echo Unable to load signing private key with name "'$KEYCHAIN_PRIVKEY_NAME'" from keychain; false; }

echo "
  <item>
   <title>Release $VERSION_STRING </title>
   <sparkle:releaseNotesLink>$RELEASENOTES_URL</sparkle:releaseNotesLink>
   <pubDate>$PUBDATE</pubDate>
   <enclosure
    url=\"$DOWNLOAD_URL\"
    sparkle:version=\"$VERSION\"
    sparkle:shortVersionString=\"$VERSION_STRING\"
    type=\"application/octet-stream\"
    length=\"$SIZE\"
    sparkle:dsaSignature=\"$SIGNATURE\"
   />
  </item>
" > $APPCAST_ITEM_FILENAME