Reconsider deprecation of SBOM attachments
Closed this issue · 1 comments
marklechner commented
An additional consideration when trying to use syft and cosign with AWS KMS and ECR
- Deprecating
sbom
option while syft does not support attest via KMS key makes life nasty and difficult when trying to use cosign features as intended - In my case (which i'm pretty sure is fairly standard) i'm using cosign with KMS managed key to sign my images stored in my private ECR
- The eventual deprecation of sbom would require me to use
syft attest
with a different key management solution given it has no support for KMS, meaning I cannot reuse the same mechanism (not the key) for signing the image and the SBOM - This is complicating setup and increasing operational as well as security risk
marklechner commented
false alarm... seems like cosign attest --predicate some.sbmom --key awskms:xyz
actually works