Step 4 should produce the same sha256 fingerprint like your local build.
Step 4 should produce the same sha256 fingerprint like your local build (for the same version tag).
The reasoning for ``firmware-fingerprint.sh`` script is that signed firmware has special header holding signatures themselves, which must be avoided while calculating the fingerprint.