cask/audit: iterate over artifacts in rosetta/signing audit

bevanjkay · bevanjkay · commit 34f659cb640b · 2025-08-11T14:12:34.000+10:00
diff --git a/Library/Homebrew/cask/audit.rb b/Library/Homebrew/cask/audit.rb
@@ -505,8 +505,8 @@ def audit_signing
       extract_artifacts do |artifacts, tmpdir|
         is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) }
 
-        artifacts.each do |artifact|
-          next if artifact.is_a?(Artifact::Binary) && is_container == true
+        any_signing_failure = artifacts.any? do |artifact|
+          next false if artifact.is_a?(Artifact::Binary) && is_container == true
 
           artifact_path = artifact.is_a?(Artifact::Pkg) ? artifact.path : artifact.source
 
@@ -521,28 +521,32 @@ def audit_signing
             system_command("gktool", args: ["scan", path], print_stderr: false)
           when Artifact::Binary
             # Shell scripts cannot be signed, so we skip them
-            next if path.text_executable?
+            next false if path.text_executable?
 
             system_command("codesign",  args:         ["--verify", "-R=notarized", "--check-notarization", path],
                                         print_stderr: false)
           else
             add_error "Unknown artifact type: #{artifact.class}", location: url.location
           end
 
-          if result.success? && cask.deprecated? && cask.deprecation_reason == :unsigned
-            add_error "Cask is deprecated as unsigned but artifacts are signed!"
-          end
-
-          next if cask.deprecated? && cask.deprecation_reason == :unsigned
-
-          next if result.success?
+          next false if result.success?
+          next true if cask.deprecated? && cask.deprecation_reason == :unsigned
 
           add_error <<~EOS, location: url.location
             Signature verification failed:
             #{result.merged_output}
             macOS on ARM requires software to be signed.
             Please contact the upstream developer to let them know they should sign and notarize their software.
           EOS
+
+          true
+        end
+
+        if cask.deprecated? && cask.deprecation_reason == :unsigned && !any_signing_failure
+          add_error <<~EOS
+            Cask is deprecated as unsigned but all artifacts are signed!
+            Remove the deprecate/disable stanza or update the deprecate/disable reason.
+          EOS
         end
       end
     end
@@ -640,9 +644,12 @@ def audit_rosetta
       extract_artifacts do |artifacts, tmpdir|
         is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) }
 
-        artifacts.each do |artifact|
-          next if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary)
-          next if artifact.is_a?(Artifact::Binary) && is_container
+        mentions_rosetta = cask.caveats.include?("requires Rosetta 2")
+        requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel }
+
+        any_requires_rosetta = artifacts.any? do |artifact|
+          next false if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary)
+          next false if artifact.is_a?(Artifact::Binary) && is_container
 
           path = tmpdir/artifact.source.relative_path_from(cask.staged_path)
 
@@ -665,7 +672,7 @@ def audit_rosetta
           end
 
           # binary stanza can contain shell scripts, so we just continue if lipo fails.
-          next unless result.success?
+          next false unless result.success?
 
           odebug "Architectures: #{result.merged_output}"
 
@@ -675,17 +682,17 @@ def audit_rosetta
             next
           end
 
-          supports_arm = result.merged_output.include?("arm64")
-          mentions_rosetta = cask.caveats.include?("requires Rosetta 2")
-          requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel }
+          next true if result.merged_output.exclude?("arm64") && result.merged_output.include?("x86_64")
+        end
 
-          if supports_arm && mentions_rosetta
-            add_error "Artifacts do not require Rosetta 2 but the caveats say otherwise!",
-                      location: url.location
-          elsif !supports_arm && !mentions_rosetta && !requires_intel
-            add_error "Artifacts require Rosetta 2 but this is not indicated by the caveats!",
+        if any_requires_rosetta
+          if !mentions_rosetta && !requires_intel
+            add_error "At least one artifact requires Rosetta 2 but this is not indicated by the caveats!",
                       location: url.location
           end
+        elsif mentions_rosetta
+          add_error "No artifacts require Rosetta 2 but the caveats say otherwise!",
+                    location: url.location
         end
       end
     end
