Step 4 should produce the same sha256 fingerprint like your local build (for the same version tag).
Step 3 should produce the same sha256 fingerprint like your local build (for the same version tag).
The reasoning for `firmware-fingerprint.sh` script is that signed firmware has special header holding signatures themselves, which must be avoided while calculating the fingerprint.