[b1db77d2]

A little note about the "make a privkey" section of the signature example; it can sometimes* make invalid privkeys that are off the end of the EC curve. Only integers between 0x1 and 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 are valid in our particular case. Super unlikely to ever get a sha256 hash that matches the invalid portion, but it's worthwhile to point out.

* probably never, but worth mentioning

[oleganza]

This curve order limit actually introduces a small bias. You can choose a number greater than a curve order, but then it'll be taken modulo the order, so some incredibly small amount of numbers will be biased closer to zero. In practice the probability to hit such numbers is less than 2^-128, so you may easily skip all checks and take the number as is. Of course, nitpickers will nitpick and that's why in all standards that describe key and nonce generation (BIP32, RFC 6979 etc), you'll see boilerplate code that checks for such numbers and does some extra cumbersome computations just to avoid these from happening.

[Theyeard]

Excellent point, added as annotation, thanks!