Fix BuildChainForCertificateSignedWithDisallowedKey.

[vcsjones]

On some systems, the expired root is still present, which is RSA+SHA-1 signed. This results in the chain flags also containing NotValidSignature flag.

Relax the assert for Linux to be HasFlag.

Fixes #118770
Fixes #118766

[Copilot]

Pull Request Overview

This PR fixes a test failure on Linux systems where an expired root certificate with RSA+SHA-1 signing is still present in the certificate store. The test was expecting only the PartialChain flag but was also getting the NotSignatureFlag due to the expired root certificate.

Key Changes:

• Separates Linux platform handling from Android/Apple platforms in the certificate chain validation test
• Changes the assertion for Linux from exact equality to using HasFlag to be more tolerant of additional flags

---

_{You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.}

[bartonjs]

If the expired root is still present, wouldn't that yield a full (non-partial) chain, but with some other error?

[vcsjones]

If the expired root is still present,

That's a good point. Not sure why it got partial chain... unless the SHA-1 root is being double-penalized as "Not a good signature algorithm" and that also somehow results in it being excluded as a candidate for a trust anchor.

We have a couple options to proceed here:

1. Merge this pull request and dig in to it, if time permits.
2. Partial revert Fix tests on macOS 26 beta 6 #118652: the change that enabled this test for Linux and re-disable the test entirely for Linux.

[bartonjs]

Eh, let's just re-suppress Linux for now. It'd be good to understand what's going on here, but re-suppressing it will at least get CI back to happ{y|ier}.

[vcsjones]

/ba-g WASM timeout; change is test only and not related to the OS for the leg that timed out.