also the developer may have difficulty proving himself to be the...developer without an external authority, similar things happened in the countless cases of internet scams.
The developer would just hardcode his public key into the software. The client could just check that the message is signed by him.
In practice, it would be better if there was multiple people with the keys. Those people should be trusted and distributed over the planet (for protection against court orders).
The checkpoint would have to be signed by M of N of them. For example, there could be 9 public keys hard coded into the client at lauch and the checkpoint has to be signed by at least 6 of them.
Then there must also be some authoritative, central places for distributing the client as well, these sites have to stay up and running as long as the network is, when billions of dollars are at stake or the governments get involved I don't think they will hold up so well. Yeah Bitcoin uses checkpoint too, but as you have pointed out with a "headers-first" approach we probably can get rid of that, and I can even download the blockchain and check the difficulty first using torrents, without connecting to any node.