Have you verified you're passing 'secure=1' when generating the
AuthSubRequest URL?

I have some test code following this message that I used to quickly
create a signature and was able to use it successfully -- let me know
how similar this is to your code (or just include your code here for
to allow us to try it out ).

Cheers,
-Ryan
---

$fp = fopen("mykey.pem", "r");
$priv_key = fread($fp, 8192);
fclose($fp);
$pkeyid = openssl_get_privatekey($priv_key);

$time = time();
$method = "GET";
// $url = "https://www.google.com/accounts/AuthSubSessionToken";
// cheating for the nonce (don't use this code in production)
$data = $method . " " . $url . " " . $time . " 15948652339726849410";

// compute signature
openssl_sign($data, $signature, $pkeyid, OPENSSL_ALGO_SHA1);

// free the key from memory
openssl_free_key($pkeyid);

$sig = base64_encode($signature);
// if using for real, you'd validate this input data
$token  = $_GET['token'];

echo 'curl -H \'Authorization: AuthSub token="' . $token . '"
data="' . $data . '" sig="' . $sig . '" sigalg="rsa-sha1"\' ' . $url;