shadow, you told me in private email that the issuer CA in question is an intermediate CA. So this isn't a root CA cert, correct?
Sounds like you had a object signing cert issued by an intermediate CA. It generated a signature that did not include the intermediate CA, so the client that attempted to verify the signature could not chain to the root. If that's right, this situation is very similar to SSL servers that don't install the intermediate CA certs for their server certs, so the cert chains they send out lack the necessary intermediate CA certs. The client may have the root, but without the intermediate CA, it cannot verify the signature on the leaf cert. Is that what's happening?
pilot error. This is an intermediate CA cert issue. While it's not clear how to add an intermediate CA certificate to a signed file with signtool, this isn't a "missing root" problem. I'm marking this bug INVALID myself.
When NSS signs something, it does not check that it has the complete cert chain for the cert that will verify the signature. When NSS generates a PKCS7 signature, it puts as much of the signing cert chain as it can find into the signature. If it doesn't have the complete chain, then it puts an incomplete chain in the signature. So, I suspect that what happened in this case is that an "object" was signed and the cert DB did not have the intermediate CA cert, so the generated signature was missing the intermediate CA cert. When a recipient of the signed object goes to verify the signature, if the signature contains the whole cert chain, including all intermediate CA certs, then the recipient only needs to have the root CA cert in its DB.
following up for completeness' sake: signtool automagically includes all the necessary intermediates necessary to permit certificate path validation by the client.