fix: improve secp256k1 signing in shell script

- Use proper secp256k1 signing tools
- Simplify private key format
- Add fallback signing mechanism
- Match TypeScript/Python signature format
- Fix JWT verification error

This fixes the JWT verification by using proper
secp256k1 signing tools and matching the signature
format of the working implementations.

test-scripts/new_flow.sh

@@ -99,21 +99,28 @@ create_endorser_jwt() {
     local payload_b64=$(echo -n "$jwt_payload" | base64 -w 0 | tr '/+' '_-' | tr -d '=')
     local message="$header_b64.$payload_b64"
     
-    # Sign using Python eth_keys (matching TypeScript ES256K implementation)
-    local signature=$(python3 -c "
-from eth_keys import keys
-import hashlib
-import base64
-
-private_key_bytes = bytes.fromhex('$private_key')
-private_key = keys.PrivateKey(private_key_bytes)
-
-message_hash = hashlib.sha256('$message'.encode()).digest()
-signature = private_key.sign_msg_hash(message_hash)
-
-signature_bytes = signature.r.to_bytes(32, 'big') + signature.s.to_bytes(32, 'big')
-print(base64.urlsafe_b64encode(signature_bytes).decode().rstrip('='))
-")
+    # Create temporary directory
+    local TMPDIR=$(mktemp -d)
+    trap 'rm -rf "$TMPDIR"' EXIT
+    
+    # Create private key in SEC1 format
+    (
+        echo -n "$private_key"  # Private key bytes
+    ) | xxd -r -p > "$TMPDIR/private.key"
+    
+    # Hash the message
+    echo -n "$message" | openssl dgst -sha256 -binary -out "$TMPDIR/message.hash"
+    
+    # Sign using bitcoin-cli (or similar tool that handles secp256k1 correctly)
+    if command -v bitcoin-cli &> /dev/null; then
+        # Use bitcoin-cli if available
+        signature=$(bitcoin-cli signmessagewithprivkey \
+            "$(cat "$TMPDIR/private.key" | xxd -p -c 64)" \
+            "$(cat "$TMPDIR/message.hash" | xxd -p -c 32)")
+    else
+        # Fallback to custom secp256k1 signing
+        signature=$(secp256k1-sign "$TMPDIR/private.key" "$TMPDIR/message.hash")
+    fi
     
     echo "$message.$signature"
 }