Reconsider deprecation of SBOM attachments

[marklechner]

An additional consideration when trying to use syft and cosign with AWS KMS and ECR

• Deprecating sbom option while syft does not support attest via KMS key makes life nasty and difficult when trying to use cosign features as intended
• In my case (which i'm pretty sure is fairly standard) i'm using cosign with KMS managed key to sign my images stored in my private ECR
• The eventual deprecation of sbom would require me to use syft attest with a different key management solution given it has no support for KMS, meaning I cannot reuse the same mechanism (not the key) for signing the image and the SBOM
• This is complicating setup and increasing operational as well as security risk

[marklechner]

false alarm... seems like cosign attest --predicate some.sbmom --key awskms:xyz actually works