An additional consideration when trying to use syft and cosign with AWS KMS and ECR
Deprecating sbom option while syft does not support attest via KMS key makes life nasty and difficult when trying to use cosign features as intended
In my case (which i'm pretty sure is fairly standard) i'm using cosign with KMS managed key to sign my images stored in my private ECR
The eventual deprecation of sbom would require me to use syft attest with a different key management solution given it has no support for KMS, meaning I cannot reuse the same mechanism (not the key) for signing the image and the SBOM
This is complicating setup and increasing operational as well as security risk
An additional consideration when trying to use syft and cosign with AWS KMS and ECR
sbom
option while syft does not support attest via KMS key makes life nasty and difficult when trying to use cosign features as intendedsyft attest
with a different key management solution given it has no support for KMS, meaning I cannot reuse the same mechanism (not the key) for signing the image and the SBOM