Improve comments related to assembly public key token validation.

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: paulmedynski

src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlAuthenticationProviderManager.cs

@@ -69,6 +69,24 @@ static SqlAuthenticationProviderManager()
                 #if STRONG_NAME_SIGNING
                 // When assembly strong name signing is enabled, check the public key token, which
                 // gives us a mediocre level of confidence that this assembly is actually ours.
+                //
+                // SECURITY NOTE:
+                // The value below is the strong-name public key token for the
+                // Microsoft.Data.SqlClient.Extensions.Azure assembly as signed with
+                // the production strong-name key.
+                //
+                // To (re)generate or verify this token:
+                //   1. Build a signed copy of Microsoft.Data.SqlClient.Extensions.Azure.dll
+                //      using the production signing key.
+                //   2. Run the Strong Name tool on the signed assembly:
+                //          sn -T Microsoft.Data.SqlClient.Extensions.Azure.dll
+                //   3. Confirm that the "Public key token" reported by sn.exe is:
+                //          23ec7fc2d6eaa4a5
+                //      which corresponds to the byte array specified below.
+                //
+                // If the strong-name signing key is ever rotated, this token (and its
+                // documentation) must be updated to match the new key; otherwise the
+                // Azure extensions assembly will no longer be recognized as trusted here.
                 byte[] expectedToken = [0x23, 0xec, 0x7f, 0xc2, 0xd6, 0xea, 0xa4, 0xa5];
                 byte[]? actualToken = assembly.GetName().GetPublicKeyToken();