If the includeKeyValue property is set (which it is not by default) then XMLSignatureSigningStage attempts to find a public key value to include in the signature.
If the pubKey property is set, the public key will be taken from that. If not, the code attempts to extract the public key from the first provided certificate. If no certificates have been provided, this results in an IndexOutOfBoundsException.
It would be better to simply omit the key value in this case.