On the Auth0 documentation page ‘Validate JSON Web Tokens’ (https://auth0.com/docs/secure/tokens/json-web-tokens/validate-json-web-tokens), it would have saved me a few hours of time if the instruction steps in the section ‘Verify RS256-signed tokens’ had been more clear.
The instructed download step of the certificate returns a cert.pem file (BEGIN/END CERTIFICATE). This needs to be turned into a pubkey.pem file (BEGIN/END PUBLIC KEY), before proceeding.
Thanks for letting us know that the instructions in our documentation are unclear. I will pass this information back to our docs team.
Also, thank you for sharing the command that helped you convert the cert to a public key.
I would also add that you can get the public key from your tenant’s JWKS: https://{yourDomain}/.well-known/jwks.json
On that page, you can copy one of the objects in the keys array and include them in your public key signature. This should produce a verified signature.