The public-private key pair is not used to encrypt the whole assembly. Instead it is used to sign the assembly.

Simplifying a little, to sign a file – such as an assembly – you take a hash of the file and then ecrypt that hash with your private key. Someone using the file verifies your signature by making a hash of the file themselves and then decrypting your encrypted hash using your public key and confirming these two hashes are the same. This proves two things:

1. The assembly is from who is claims to be from – i.e you – as it has been produced with your private key.
2. The assembly hasn’t been altered by someone else as the hash you made when you released the assembly is the same as the current one. No-one can alter the signed assembly since they would also have to make corresponding changes to the encrypted hash which requires your private key.

There is a lot more detail about Digital Signatures in this Wikipedia article.

The great thing about public-private key pairs is that they work either way around. So something encrypted with your private key can be only decrypted with your public key but also something encrypted with your public key can be decrypted with your private key. This latter use means that if someone wants to send something to you and only you then then can encrypt it with your freely available public key but they know only you with your private key can decrypt it.

As the keys only work as a pair – making the encryption asymmetric – someone else can’t simply reverse the encryption they’ve done with the public key to get the message to you.