How to list all signatures with signtool.exe while verifying against the kernel signing policy

Question

So I am signing a binary using signtool from the Windows SDK 8.1:

"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /i Symantec /ac C:\utils\MSCV-VSClass3.cer /ph /t "http://timestamp.verisign.com/scripts/timstamp.dll" "foo.exe"
Done Adding Additional Store
Successfully signed: foo.exe
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /i Symantec /ac C:\utils\MSCV-VSClass3.cer /ph /fd sha256 /tr "http://timestamp.geotrust.com/tsa" /td sha256 /as "foo.exe"
Done Adding Additional Store
Successfully signed: foo.exe

When I look at it in the file properties, I can see the correct result.

However, when I use verify with this very signtool I get, depending on the passed parameter:

"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /all "foo.exe"
File: foo.exe
Index  Algorithm  Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.
SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.

With /pa and /pa /all I can see both timestamps:

"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /pa "foo.exe"
File: foo.exe
Index  Algorithm  Timestamp
========================================
0      sha1       Authenticode

Successfully verified: foo.exe
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /pa /all "foo.exe"
File: foo.exe
Index  Algorithm  Timestamp
========================================
0      sha1       Authenticode
1      sha256     RFC3161

but when trying to use /kp to verify against the kernel signing policy, signtool refuses to run that along with /all:

"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /kp /all "foo.exe"
SignTool Error: The /all option is incompatible with the /kp option.

So I have two questions:

1. is this a defect (that /kp and /all don't work together)?
2. is there a better way than to call signtool verify twice, once with /pa /all and once with /kp to see all timestamps and verify against the kernel signing policy?

Answer 1

I've recently stumbled upon the same issue with /kp and /all, and completely by chance discovered that the order of arguments is important. If I specify /kp /all, I get The /all option is incompatible with the /kp option. But if I pass /all /kp, verification works smoothly: it enumerates all signatures in the file and checks them all.