Should signature verification warn about unsuitable CERTS?

sop has KEY_CANNOT_SIGN for trying to sign with a secret key that can't make signatures (e.g. because it does not have the signature-making key usage flag, or because the algorithms it supports are too weak to legitimately sign with). But when verifying signatures, what should sop do if it is given a correspondingly incapable CERTS object?

If no CERTS objects given to sop verify are capable of making signatures, then the command will always fail. In some other cases, though, sop verify might have multiple CERTS objects, and some of them are incapable of making signatures while others are acceptable. A sophisticated user might want to receive a notification that they shouldn't bother checking signatures against the incapable certificate in the future.

sop has no explicit warning channel, though warning messages are permitted on stderr. Should we encourage warning more explicitly when an unsuitable CERTS is present, or when signatures are observed but none are found to be valid from the set of acceptable CERTS?