You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The information at https://ko.build/features/sboms/ tells you to display the generated SBOM using cosign download sbom and while this works the tool (and the docs the command links to on the above page) mentions how it is deprecated:
cosign download sbom <image uri>
WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see https://github.com/sigstore/cosign/issues/2755). Instead, please use SBOM attestations.
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>'.
Found SBOM of media type: text/spdx+json
[...]
However, using the command that cosign suggests does not work:
cosign download attestation <image uri>
Error: found no attestations
main.go:74: error during command execution: found no attestations
Is this a known problem?
The text was updated successfully, but these errors were encountered:
Hello,
The information at https://ko.build/features/sboms/ tells you to display the generated SBOM using
cosign download sbomand while this works the tool (and the docs the command links to on the above page) mentions how it is deprecated:However, using the command that
cosignsuggests does not work:Is this a known problem?
The text was updated successfully, but these errors were encountered: