generate attestations for muli-arch signed SBOMs

[ruzickap]

What would you like to be added:

Would it be possible to generate attestations + SBOMs for multiple platforms?

Something like:

syft attest --platform=linux/amd64,linux/arm64 quay.io/example/my-container-image

After such action - it should be possible to use cosign to properly extract the SBOMs like it is in this case:

cosign verify-attestation --type https://spdx.dev/Document --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main cgr.dev/chainguard/go | jq
cosign download attestation --platform=linux/amd64 --predicate-type=https://spdx.dev/Document cgr.dev/chainguard/go | jq
cosign download attestation --platform=linux/arm64 --predicate-type=https://spdx.dev/Document cgr.dev/chainguard/go | jq

FYI: I'm not sure if using something like may work (and it is good approach):

syft attest --platform=linux/amd64 quay.io/example/my-container-image
syft attest --platform=linux/arm64 quay.io/example/my-container-image

because then the cosign download attestation doesn't work:

cosign download attestation --platform=linux/amd64 --predicate-type=https://spdx.dev/Document quay.io/example/my-container-image@sha256:6exxxxxx77f 
Error: found no attestations
main.go:74: error during command execution: found no attestations

Anyway - the goal to use syft to generate attestations for SBOMs multi-acrh images signed by cosign easily...

Why is this needed:

I would like to generate + sign (cosign) attestations which will contains SBOMs for multi-arch (amd64, arm64) container image.

Additional context: