cask: audit for correct signing of pkg installers

Library/Homebrew/cask/audit.rb

@@ -491,22 +491,20 @@ module Cask
       Dir.mktmpdir do |tmpdir|
         tmpdir = Pathname(tmpdir)
         primary_container.extract_nestedly(to: tmpdir, basename: downloaded_path.basename, verbose: false)
+
+        message = "Signature verification failed:\n#{result.merged_output}\nmacOS on ARM requires applications " \
+                  "to be signed. Please contact the upstream developer to let them know they should "
+
         artifacts.each do |artifact|
-          path = case artifact
+          case artifact
           when Artifact::Moved
-            tmpdir/artifact.source.basename
-          when Artifact::Pkg
-            artifact.path
-          end
+            path = tmpdir/artifact.source.basename
             next unless path.exist?
 
             result = system_command("codesign", args: ["--verify", path], print_stderr: false)
 
             next if result.success?
 
-          message = "Signature verification failed:\n#{result.merged_output}\nmacOS on ARM requires applications " \
-                    "to be signed. Please contact the upstream developer to let them know they should "
-
             message += if result.stderr.include?("not signed at all")
               "sign their app."
             else
@@ -514,6 +512,22 @@ module Cask
             end
 
             add_warning message
+          when Artifact::Pkg
+            path = artifact.path
+            next unless path.exist?
+
+            result = system_command("pkgutil", args: ["--check-signature", path], print_stderr: false)
+            if result.failure?
+              add_warning "#{message} sign their package."
+              next
+            end
+
+            result = system_command("stapler", args: ["validate", path], print_stderr: false)
+            if result.failure?
+              add_warning "#{message} notarize their package."
+              next
+            end
+          end
         end
       end
     end