dotnet · vcsjones · Aug 15, 2025 · Aug 15, 2025 · Aug 15, 2025
diff --git a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
@@ -1177,14 +1177,19 @@ public static void BuildChainForCertificateSignedWithDisallowedKey()
                 chain.ChainPolicy.ExtraStore.Add(intermediateCert);
                 Assert.False(chain.Build(cert));
 
-                if (PlatformDetection.IsAndroid || PlatformDetection.IsApplePlatform26OrLater || PlatformDetection.IsLinux)
+                if (PlatformDetection.IsAndroid || PlatformDetection.IsApplePlatform26OrLater)
                 {
                     // Android always validates trust as part of building a path,
                     // so violations comes back as PartialChain with no elements
                     // Apple 26 no longer block these SKIs since the roots are no longer trusted at all and are expired.
-                    // Linux has no concept of a blocked key list, they just remove certificates from a trust store.
                     Assert.Equal(X509ChainStatusFlags.PartialChain, chain.AllStatusFlags());
                 }
+                else if (PlatformDetection.IsLinux)
+                {
+                    // Linux has no concept of a blocked key list, they just remove certificates from a trust store.
+                    X509ChainStatusFlags actualFlags = chain.AllStatusFlags();
+                    AssertExtensions.TrueExpression(actualFlags.HasFlag(X509ChainStatusFlags.PartialChain));
+                }
                 else
                 {
                     X509ChainElement certElement = chain.ChainElements