From 9dc5929ad81f26f018a8454f2654ef10f77ec092 Mon Sep 17 00:00:00 2001
From: Bevan Kay <email@bevankay.me>
Date: Mon, 21 Jul 2025 18:49:29 +1000
Subject: [PATCH] cask/audit: always enable codesign audit

---
 Library/Homebrew/cask/audit.rb | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/Library/Homebrew/cask/audit.rb b/Library/Homebrew/cask/audit.rb
index f7a7ee893f..03e7e47c0a 100644
--- a/Library/Homebrew/cask/audit.rb
+++ b/Library/Homebrew/cask/audit.rb
@@ -486,7 +486,13 @@ module Cask
 
     sig { void }
     def audit_signing
-      return if !signing? || download.blank? || (url = cask.url).nil?
+      return if download.blank?
+
+      url = cask.url
+      return if url.nil?
+
+      return if !cask.tap.official? && !signing?
+      return if cask.deprecated? && cask.deprecation_reason != :unsigned
 
       odebug "Auditing signing"
 
@@ -511,9 +517,15 @@ module Cask
             add_error "Unknown artifact type: #{artifact.class}", location: url.location
           end
 
+          if result.success? && cask.deprecated? && cask.deprecation_reason == :unsigned
+            add_error "Cask is deprecated as unsigned but artifacts are signed!"
+          end
+
+          next if cask.deprecated? && cask.deprecation_reason == :unsigned
+
           next if result.success?
 
-          add_error <<~EOS, location: url.location, strict_only: true
+          add_error <<~EOS, location: url.location
             Signature verification failed:
             #{result.merged_output}
             macOS on ARM requires software to be signed.