I used to think that .net assemblies that were signed and/or strong-named were verified by the CLR when loaded, meaning that it wasn't possible for someone to edit the IL and still have a valid assembly. Then I listened to this great Herding Code podcast where Jon McCoy said that doesn't really happen (approx 12:47 in the podcast) - i.e. anyone can edit the IL and mess with your assembly and the CLR will not care. I know this sounds weird, but he seems to know what he's talking about, so perhaps it's just that I don't know exactly what scenarios he's referring to.
Can someone explain if & when the CLR will actually verify the full contents of an assembly to ensure that someone hasn't tampered with the IL? If 'signing' or 'strong naming' doesn't do it, what process do you need to make the CLR check an assembly properly?
Some other references (that haven't made it entirely clear to me - probably I'm just a bit slow):
Talks about editing the IL and bypassing the strong name signing Validating .NET Framework Assemblies (I don't know if this is the same sort of attack referred to by Jon).
Says attacker can resign with his own key but can't leave your signature intact : Can strong naming an assembly be used to verify the assembly author? (i.e. not the same attack referred to by Jon)
Saying from .net 3.5 CLR doesn't verify assemblies under full trust: Why does .NET not verify the BCL/CLR? (maybe this is what Jon means?)
How to verify an assembly: How to programmatically verify an assembly is signed with a specific Certificate?
Grey Wolf (by Jon McCoy) - for copying strong name signing on assemblies !? https://www.digitalbodyguard.com/graywolf.html
