Oh good, I am glad you got it figured out!
As for being a security risk, I wouldn't think it to be a very large risk. If it were a real threat then Google would not even offer the ability to use a cart that was not digitally signed. They offer the digital signed cart as an "increased" security precaution. PayPal works on a similar principles, using unsigned communications from the e-commerce site and their checkout page. And they have been doing it this way since their inception with minimal ill effect in relation to security.
That said, one should keep in mind that there is always an element of risk during any monetary transaction, whether it is online or at a brick-and-mortar store. As a proprietor of a brick-and-mortar, one runs the risk of shop lifters, bad check writers, credit card charge backs and more. The risks of running an online store are similar, even though they may take different forms. Digitally signed carts are simply an additional layer of precautionary security. The best security of course is to be attentive to the transactions that one is involved in. For example, reviewing purchase amounts of a transaction, prior to shipping tangible goods to the buyer. If the buyer has purchased $100 worth of items and the transaction is only for $15, then something is obviously a miss and the seller should investigate.