diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f58df1d..9cf1000 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -427,7 +427,11 @@ jobs:
           mkdir -p assets
           gh release download "${TAG_NAME}" \
             --repo "${{ github.repository }}" \
-            --dir assets
+            --dir assets \
+            --pattern '*.tgz' \
+            --pattern '*.deb' \
+            --pattern '*.rpm' \
+            --pattern '*.zip'
 
       - name: Compute SHA256 hashes
         id: hash
diff --git a/README.md b/README.md
index e208ae9..c7c1d4f 100644
--- a/README.md
+++ b/README.md
@@ -315,7 +315,7 @@ Each GitHub release includes a `multiple.intoto.jsonl` provenance file. Verify a
 go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@latest
 
 # Download the artifact and provenance from the release
-gh release download v1.91.0 --repo mongodb/kingfisher \
+gh release download <version> --repo mongodb/kingfisher \
   --pattern 'kingfisher-linux-x64.tgz' \
   --pattern 'multiple.intoto.jsonl'
 
@@ -330,7 +330,7 @@ slsa-verifier verify-artifact kingfisher-linux-x64.tgz \
 Release artifacts also have GitHub build attestations, verifiable with the GitHub CLI:
 
 ```bash
-gh release download v1.91.0 --repo mongodb/kingfisher \
+gh release download <version> --repo mongodb/kingfisher \
   --pattern 'kingfisher-linux-x64.tgz'
 
 gh attestation verify kingfisher-linux-x64.tgz --repo mongodb/kingfisher
diff --git a/crates/kingfisher-rules/data/rules/azure-notification-hub.yml b/crates/kingfisher-rules/data/rules/azure-notification-hub.yml
index 6e3ce2f..42be867 100644
--- a/crates/kingfisher-rules/data/rules/azure-notification-hub.yml
+++ b/crates/kingfisher-rules/data/rules/azure-notification-hub.yml
@@ -149,7 +149,8 @@ rules:
               {%- assign se = "" | unix_timestamp | plus: 300 -%}
               {%- capture to_sign -%}{{ uri | url_encode }}
               {{ se }}{%- endcapture -%}
-              {%- capture auth -%}SharedAccessSignature sr={{ uri | url_encode }}&sig={{ to_sign | hmac_sha256: TOKEN | url_encode }}&se={{ se }}&skn={{ NH_KEY_NAME | url_encode }}{%- endcapture -%}
+              {%- assign key_bytes = TOKEN | b64dec -%}
+              {%- capture auth -%}SharedAccessSignature sr={{ uri | url_encode }}&sig={{ to_sign | hmac_sha256: key_bytes | url_encode }}&se={{ se }}&skn={{ NH_KEY_NAME | url_encode }}{%- endcapture -%}
               {{ auth | strip_newlines }}
           response_matcher:
             - report_response: true
diff --git a/crates/kingfisher-rules/data/rules/fullstory.yml b/crates/kingfisher-rules/data/rules/fullstory.yml
index b9c4571..960c997 100644
--- a/crates/kingfisher-rules/data/rules/fullstory.yml
+++ b/crates/kingfisher-rules/data/rules/fullstory.yml
@@ -32,7 +32,7 @@ rules:
           method: GET
           url: https://api.fullstory.com/me
           headers:
-            Authorization: Basic {{ TOKEN }}
+            Authorization: Basic {{ TOKEN | append: ':' | b64enc }}
             Accept: application/json
           response_matcher:
             - report_response: true