diff --git a/lib/utils/verify-signatures.js b/lib/utils/verify-signatures.js
index 73a96cfe16488..cf9fafd17745d 100644
--- a/lib/utils/verify-signatures.js
+++ b/lib/utils/verify-signatures.js
@@ -192,6 +192,7 @@ class VerifySignatures {
 
     // If keys not found in Sigstore TUF repo, fallback to registry keys API
     if (!keys) {
+      log.warn(`Fetching verification keys using TUF failed.  Fetching directly from ${registry}.`)
       keys = await npmFetch.json('/-/npm/v1/keys', {
         ...this.npm.flatOptions,
         registry,
diff --git a/test/lib/commands/audit.js b/test/lib/commands/audit.js
index bf0a055d13c71..26853823a72b0 100644
--- a/test/lib/commands/audit.js
+++ b/test/lib/commands/audit.js
@@ -940,7 +940,7 @@ t.test('audit signatures', async t => {
   })
 
   t.test('with key fallback to legacy API', async t => {
-    const { npm, joinedOutput } = await loadMockNpm(t, {
+    const { logs, npm, joinedOutput } = await loadMockNpm(t, {
       prefixDir: installWithValidSigs,
     })
     const registry = new MockRegistry({ tap: t, registry: npm.config.get('registry') })
@@ -952,6 +952,7 @@ t.test('audit signatures', async t => {
 
     t.notOk(process.exitCode, 'should exit successfully')
     t.match(joinedOutput(), /audited 1 package/)
+    t.match(logs.warn, ['Fetching verification keys using TUF failed.  Fetching directly from https://registry.npmjs.org/.'])
     t.matchSnapshot(joinedOutput())
   })