As the error message says, your signature is not DER encoded.
An ECDSA signature is composed of two integers, R and s. DER is a method of encoding them. DER for a signature specifies that the signature begin with the byte 0x30, followed by the length in bytes of the rest of the signature, then we have a 0x02 byte followed by R‘s length in bytes followed by R itself as a signed integer, and lastly we have a 0x02 byte followed by s‘s length in bytes, followed by s itself as a signed integer.
For Bitcoin specifically, this is then followed by a single byte to indicate the sighash type.
Let’s try to decode your signature to see where it went wrong:
30– That’s good, that’s the prefix we expect for proper DER encoding46– The length of the signature should be 70 bytes. This looks correct as 70 bytes later we are at the end of the signature02– This is the correct prefix for an integer21– This tells us the length ofR, 33 bytes009b3beae48e8b1cf4224c2b608815fb67a26f5f006feed0a66ec50e17863175c4–Ritself02– This is the correct prefix for an integer20– This tells us the length ofs, 32 bytes2029edc4dcb9d7545185c56490ae44b3fad5da1df67d5b773b1fb14a9723e68f–sitself
But we’re actually not at the end of the signature, we have an extra byte of 0x05.
The question is, is one of the lengths wrong, or is the s wrong. My supposition is that the s is wrong. For the secp256k1 curve that Bitcoin uses, both R and s are 256 bit integers. This means that their maximum value is 32 bytes long. Since DER uses signed integers where it interprets the most significant bit as the signedness indicator, we can get 33 byte R and s values only when that MSB is set, and the resulting 33 bytes will always begin with a 0x00 byte. That most significant byte cannot be anything other than 0, otherwise the value would be larger than 256 bits.
Since your s begins with a 0x20 byte, it could not have actually been a 33 byte s. That would mean it’s larger than 256 bits and therefore invalid. However, considering that it is 0x20 I think what could have happened is that you’ve accidentally duplicated the 0x20 size prefix for DER encoding.
If that is what happened, then dropping that first 0x20 from your s should fix the problem. Don’t forget that doing so will change the size of your signature, so you will need to modify the DER size value as well as the size in the Bitcoin script.
Original Answer
As the error message says, your signature is not DER encoded. The length of the DER sequence is short by one byte. You have 0x44 but it should be 0x45.
However I think your signature just has an actual extra 0x20 in it prefixing the second integer, rather than your signature actually being one byte short.
