How does Chrome distrust Symantec Certificates?

How does Chrome distrust Symantec Certificates?

Sometime back Google Chrome had announced plans to distrust Symantec certificates. I am trying to figure out how this is done for a POC.
When I visit chase.com on Google Chrome, I get the following message in the dev console:

The SSL certificate used to load resources from https://www.chase.com
  will be distrusted in M70. Once distrusted, users will be prevented
  from loading these resources. See https://g.co/chrome/symantecpkicerts
  for more information.

From the Chromium source, I could see that they have a list of hashes that they check against - symantec_certs.cc and in this README.md they use the following openssl command to get the hashes from the certificates.
for f in roots/*.pem; 
do openssl x509 -noout -pubkey -in "${f}" | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; 
digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; 
echo "0x${digest} ${f##*/}"; 
done | sort 

Now for chase.com, I got the certs using the following command
openssl s_client -host chase.com -port 443 -prexit -showcerts

This outputs two certs both of which I copied to separate files (from 'begin certificate' to 'end certificate') cert1.cert and cert2.cert
To get the hashes, executed the following
for f in ./*.cert; 
do cat "${f}" | openssl x509 -noout -pubkey | openssl asn1parse -inform pem -out /tmp/pubkey.out -noout; 
digest=`cat /tmp/pubkey.out | openssl dgst -sha256 -c | awk -F " " '{print $2}' | sed s/:/,0x/g `; 
echo "0x${digest}"; 
done

which gives
0x14,0x72,0x0b,0x47,0x2b,0x12,0x3d,0xc2,0xfd,0xcc,0x13,0x2a,0x81,0x09,0xc7,0x29,0x97,0x13,0x36,0xaf,0x95,0x38,0x9f,0x89,0x12,0xa4,0x71,0xa8,0x78,0xdd,0xb7,0x37
0x80,0xcc,0x56,0x3a,0xb5,0xf8,0x3c,0xc4,0x1e,0xb0,0xaf,0x6a,0x14,0xd6,0xd8,0x07,0x18,0xc1,0x7e,0x35,0x2f,0x96,0x49,0xff,0xbc,0xdd,0x67,0xf8,0xbf,0x65,0x13,0x91

both of which aren't in symantec_certs.cc
I believe the certificate chain doesn't contain the Root CA certificate, am I supposed calculate the Root's public key hash also and check it against the know distrusted roots? If yes, how to get the Root certificate?

Solutions/Answers:

Our Awesome Free Tools

References