diff --git a/share/brewkit/fix-elf.ts b/share/brewkit/fix-elf.ts
index 80ed5070..5fdcf9b3 100755
--- a/share/brewkit/fix-elf.ts
+++ b/share/brewkit/fix-elf.ts
@@ -42,6 +42,7 @@ export default async function fix_rpaths(installation: Installation, pkgs: (Pack
   const skip_rpaths = [
     "go.dev", // skipping because for some reason patchelf breaks the go binary resulting in the only output being: `Segmentation Fault`
     "tea.xyz", // this causes tea to pass -E/--version (and everything else?) directly to deno, making it _too_ much of a wrapper.
+    "render.com", // same as `tea.xyz`
   ]
   if (skip_rpaths.includes(installation.pkg.project)) {
     console.info(`skipping rpath fixes for ${installation.pkg.project}`)
diff --git a/share/brewkit/fix-machos.rb b/share/brewkit/fix-machos.rb
index ce222181..5e5ba244 100755
--- a/share/brewkit/fix-machos.rb
+++ b/share/brewkit/fix-machos.rb
@@ -77,11 +77,18 @@ def codesign!(filename)
 
     signing_id = ENV['APPLE_IDENTITY'] || "-"
 
-    _, _, status = Open3.capture3("codesign", "--sign", signing_id, "--force",
+    _, stderr_str, status = Open3.capture3("codesign", "--sign", signing_id, "--force",
                                   "--preserve-metadata=entitlements,requirements,flags,runtime",
                                   filename)
 
-    raise MachO::CodeSigningError, "#{filename}: signing failed!" unless status.success?
+    # This is messy, but Deno (and Zig, and possibly others) output working binaries
+    # that fail strict validation. Deno has an open issue about this since 2018:
+    # https://github.com/denoland/deno/issues/575
+    # codesign "fails" after correctly signing these binaries with the below error,
+    # but the binaries still work.
+    raise MachO::CodeSigningError, "#{filename}: signing failed!"
+      unless status.success? ||
+      stderr_str.include?("main executable failed strict validation")
   end
 
   def fix_id