sbom handling deprecated?

[eest]

Hello,

The information at https://ko.build/features/sboms/ tells you to display the generated SBOM using cosign download sbom and while this works the tool (and the docs the command links to on the above page) mentions how it is deprecated:

cosign download sbom <image uri>
WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see https://github.com/sigstore/cosign/issues/2755). Instead, please use SBOM attestations.
WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>'.
Found SBOM of media type: text/spdx+json
[...]

However, using the command that cosign suggests does not work:

cosign download attestation <image uri>
Error: found no attestations
main.go:74: error during command execution: found no attestations

Is this a known problem?

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

[eest]

lifecycle/frozen

edit: I guess a note from me is not what was requested by the bot, but I am still interested in this :)

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.