From 83f6647a9b00a7d31efd176c1c331d78a7246fb8 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Feb 2026 17:38:54 +0000
Subject: [PATCH 1/2] Initial plan


From c27aceec09ae3fcf4a3ce883b0af770463a3d905 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 25 Feb 2026 17:42:02 +0000
Subject: [PATCH 2/2] Load Azure extension assembly with public key token under
 STRONG_NAME_SIGNING

Co-authored-by: paulmedynski <31868385+paulmedynski@users.noreply.github.com>
---
 .../SqlAuthenticationProviderManager.cs       | 27 +++++++------------
 1 file changed, 10 insertions(+), 17 deletions(-)

diff --git a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlAuthenticationProviderManager.cs b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlAuthenticationProviderManager.cs
index c9dc7375f2..38c5b069a9 100644
--- a/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlAuthenticationProviderManager.cs
+++ b/src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/SqlAuthenticationProviderManager.cs
@@ -55,7 +55,17 @@ static SqlAuthenticationProviderManager()
             try
             {
                 // Try to load our Azure extension.
+                #if STRONG_NAME_SIGNING
+                // When strong-name signing is enabled, build a fully-qualified AssemblyName
+                // that includes the expected public key token.  The runtime then enforces the
+                // token during binding, so an untrusted assembly with the same simple name
+                // is never loaded (and its module initializers never run).
+                var qualifiedName = new AssemblyName(assemblyName);
+                qualifiedName.SetPublicKeyToken([0x23, 0xec, 0x7f, 0xc2, 0xd6, 0xea, 0xa4, 0xa5]);
+                var assembly = Assembly.Load(qualifiedName);
+                #else
                 var assembly = Assembly.Load(assemblyName);
+                #endif
 
                 if (assembly is null)
                 {
@@ -66,23 +76,6 @@ static SqlAuthenticationProviderManager()
                     return;
                 }
 
-                #if STRONG_NAME_SIGNING
-                // When assembly strong name signing is enabled, check the public key token, which
-                // gives us a mediocre level of confidence that this assembly is actually ours.
-                byte[] expectedToken = [0x23, 0xec, 0x7f, 0xc2, 0xd6, 0xea, 0xa4, 0xa5];
-                byte[]? actualToken = assembly.GetName().GetPublicKeyToken();
-
-                if (actualToken is null || !actualToken.AsSpan().SequenceEqual(expectedToken))
-                {
-                    SqlClientEventSource.Log.TryTraceEvent(
-                        nameof(SqlAuthenticationProviderManager) +
-                        $": Azure extension assembly={assemblyName} has an " +
-                        "unexpected public key token; " +
-                        "no default Active Directory provider installed");
-                    return;
-                }
-                #endif
-
                 SqlClientEventSource.Log.TryTraceEvent(
                     nameof(SqlAuthenticationProviderManager) +
                     $": Azure extension assembly={assemblyName} found; " +