Description
As of cosign v2.2.1, the cosign attach sbom command has been deprecated in favor of cosign attest --type ... (see sigstore/cosign#2755). This has unfortunately created confusion for consumers who want to use Sigstore to publish SBOMs for artifacts and create tooling around the published SBOM data.
The Sigstore documentation currently references the cosign attach ... command for SBOMs in its examples. This should be replaced with exact/specific commands to attach and sign SBOMs using cosign attest --type arguments.
Description
As of cosign v2.2.1, the
cosign attach sbomcommand has been deprecated in favor ofcosign attest --type ...(see sigstore/cosign#2755). This has unfortunately created confusion for consumers who want to use Sigstore to publish SBOMs for artifacts and create tooling around the published SBOM data.The Sigstore documentation currently references the
cosign attach ...command for SBOMs in its examples. This should be replaced with exact/specific commands to attach and sign SBOMs usingcosign attest --typearguments.