Thanks for the suggestions. I ended up doing it the other way: Instead of verifying the signatures my JavaScript was emitting, I plugged in a couple of signatures for the same transaction from my Python code to prove that the rest of the JavaScript was OK and figured it out that way. (Seems like my signatures were OK but I had them in the wrong order, which results in OP_CHECKMULTISIG reporting an invalid signature???)