Isn’t the goal only to prove that a photograph was taken with a particular camera? I don’t think you could ever prove that the subject was legitimate, as there are countless ways to misrepresent things. But in a world of AI slop, knowing a photo was taken on a real camera and wasn’t synthesized artificially is still a useful data point in determining trust.

There's probably a technical solution, such as the camera manufacturer cryptographically signing a GPS location and timestamp together with the pixels. Like all DRM it will probably be broken though, and more importantly, would anyone (even e.g. a newspaper editor) care enough to verify the signature?