ValidateNuGetPackageHashes must consider .nupkg.metadata.contenthash in addition to the .nupkg.sha512

[twmillett]

It seems like nuget 4.9.3 (which gets used by Visual Studio 15.9) changed the way that NuGetAssetsLock.props files are generated.

In earlier versions of nuget (e.g., 4.6.2) the Sha512 embedded in the NugetAssetLock.props file comes from the package's .nupkg.sha512.

In 4.9.3, the Sha512 comes from the .nupkg.metadata file, specifically from a json field in it called contenthash.

As a result, anyone building in Visual Studio 15.9 and/or who updates their build\local\nuget binary to 4.9.3 will always generate asset lock files that fail package validation.