diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb
index e8d641814c..10fb64ae4f 100644
--- a/Library/Homebrew/attestation.rb
+++ b/Library/Homebrew/attestation.rb
@@ -188,7 +188,7 @@ module Homebrew
         end
       end
 
-      raise InvalidAttestationError, "no attestation matches subject" if attestation.blank?
+      raise InvalidAttestationError, "no attestation matches subject: #{subject}" if attestation.blank?
 
       attestation
     end
@@ -227,7 +227,17 @@ module Homebrew
         # This was originally unintentional, but has a virtuous side effect of further
         # limiting domain separation on the backfilled signatures (by committing them to
         # their original bottle URLs).
-        url_sha256 = Digest::SHA256.hexdigest(bottle.url)
+        url_sha256 = if EnvConfig.bottle_domain == HOMEBREW_BOTTLE_DEFAULT_DOMAIN
+          Digest::SHA256.hexdigest(bottle.url)
+        else
+          # If our bottle is coming from a mirror, we need to recompute the expected
+          # non-mirror URL to make the hash match.
+          path, = Utils::Bottles.path_resolved_basename HOMEBREW_BOTTLE_DEFAULT_DOMAIN, bottle.name,
+                                                        bottle.resource.checksum, bottle.filename
+          url = "#{HOMEBREW_BOTTLE_DEFAULT_DOMAIN}/#{path}"
+
+          Digest::SHA256.hexdigest(url)
+        end
         subject = "#{url_sha256}--#{bottle.filename}"
 
         # We don't pass in a signing workflow for backfill signatures because