Because image manipulation by computer is so easy, it is hard to be sure that an image was indeed created at the date, time and place claimed, and that it has not been altered since. To gain this confidence requires a strong chain of evidence linking the collection of bits representing the image back to the camera that made the image. Cryptographic checksums used to implement parts of this chain must demonstrate that no other image was substituted for the correct one, even though a very long period of time might have been available for a malefactor to exhaustively search for an alternative that matched the checksum. It must be possible to secure the provenance of the image without taking the camera out of circulation, and subsequent tampering with the camera should not cast doubt on the provenance. Signing the image twice, but only publishing one of the public keys, allows the image to be verified whether the camera is available or not, and also undermines any claim that the signature could have been fabricated by trial and error. Watermarking, though largely irrelevant to this discussion, does provide a convenient way of ensuring that the image and the associated data can be handled in a way compatible with existing image processing software.