Signing with a strong name (keypair stored in the .snk file) is (among other purposes) designed to protect against assembly assembly .
For example: I send my assembly, signed with a strong name, then some other developer uses my assembly, and therefore its assembly now contains a link to mine, which mentions the public key of my key pair. Some users install this developer build and my build and are happy to use this developer code. If someone else tries to create an assembly similar to my version and convinces the user that this “update is worth installing”, that the fake assembly will not load, because I manage my key pair and that the forged assembly is not signed with the same key couple, okay, cool.
But what prevents an attacker from falsifying both my assembly and the dependent assembly of another developer and "shipping" both of them? They capture my assembly and this developer’s assembly, fake both, sign the fake version of my assembly with some key, and then add a link to it in the fake version of the dependent assembly, sign it and send both. I mean, maliciously, “delivering” two assemblies should not be much more complicated than “sending” one assembly.
How does signing with trusted names protect against falsification of multiple assemblies?
source
share