cask/audit: iterate over artifacts in rosetta/signing audit

Author: bevanjkay

Library/Homebrew/cask/audit.rb

@@ -505,6 +505,8 @@ def audit_signing
       extract_artifacts do |artifacts, tmpdir|
         is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) }
 
+        any_signing_failure = T.let(false, T::Boolean)
+
         artifacts.each do |artifact|
           next if artifact.is_a?(Artifact::Binary) && is_container == true
 
@@ -529,13 +531,11 @@ def audit_signing
             add_error "Unknown artifact type: #{artifact.class}", location: url.location
           end
 
-          if result.success? && cask.deprecated? && cask.deprecation_reason == :unsigned
-            add_error "Cask is deprecated as unsigned but artifacts are signed!"
-          end
+          next if result.success?
 
-          next if cask.deprecated? && cask.deprecation_reason == :unsigned
+          any_signing_failure = true
 
-          next if result.success?
+          next if cask.deprecated? && cask.deprecation_reason == :unsigned
 
           add_error <<~EOS, location: url.location
             Signature verification failed:
@@ -544,6 +544,10 @@ def audit_signing
             Please contact the upstream developer to let them know they should sign and notarize their software.
           EOS
         end
+
+        if cask.deprecated? && cask.deprecation_reason == :unsigned && !any_signing_failure
+          add_error "Cask is deprecated as unsigned but all artifacts are signed!"
+        end
       end
     end
 
@@ -640,6 +644,12 @@ def audit_rosetta
       extract_artifacts do |artifacts, tmpdir|
         is_container = artifacts.any? { |a| a.is_a?(Artifact::App) || a.is_a?(Artifact::Pkg) }
 
+        # Aggregate results across artifacts to decide on Rosetta caveat once.
+        any_requires_rosetta = T.let(false, T::Boolean)
+
+        mentions_rosetta = cask.caveats.include?("requires Rosetta 2")
+        requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel }
+
         artifacts.each do |artifact|
           next if !artifact.is_a?(Artifact::App) && !artifact.is_a?(Artifact::Binary)
           next if artifact.is_a?(Artifact::Binary) && is_container
@@ -675,17 +685,19 @@ def audit_rosetta
             next
           end
 
-          supports_arm = result.merged_output.include?("arm64")
-          mentions_rosetta = cask.caveats.include?("requires Rosetta 2")
-          requires_intel = cask.depends_on.arch&.any? { |arch| arch[:type] == :intel }
+          supports_arm = T.cast(result.merged_output.include?("arm64"), T::Boolean)
+          requires_rosetta_for_artifact = T.cast(!supports_arm && result.merged_output.include?("x86_64"), T::Boolean)
+          any_requires_rosetta ||= requires_rosetta_for_artifact
+        end
 
-          if supports_arm && mentions_rosetta
-            add_error "Artifacts do not require Rosetta 2 but the caveats say otherwise!",
-                      location: url.location
-          elsif !supports_arm && !mentions_rosetta && !requires_intel
-            add_error "Artifacts require Rosetta 2 but this is not indicated by the caveats!",
+        if any_requires_rosetta
+          if !mentions_rosetta && !requires_intel
+            add_error "At least one artifact requires Rosetta 2 but this is not indicated by the caveats!",
                       location: url.location
           end
+        elsif mentions_rosetta
+          add_error "No artifacts require Rosetta 2 but the caveats say otherwise!",
+                    location: url.location
         end
       end
     end