Update Documentation for Attaching SBOMs

[adambkaplan]

Description

As of cosign v2.2.1, the cosign attach sbom command has been deprecated in favor of cosign attest --type ... (see sigstore/cosign#2755). This has unfortunately created confusion for consumers who want to use Sigstore to publish SBOMs for artifacts and create tooling around the published SBOM data.

The Sigstore documentation currently references the cosign attach ... command for SBOMs in its examples. This should be replaced with exact/specific commands to attach and sign SBOMs using cosign attest --type arguments.

[adambkaplan]

Note that many vendors have already published this guidance:

1. Chainguard: https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-sign-an-sbom-with-cosign/
2. Aquasec (Trivy): https://trivy.dev/v0.33/docs/attestation/sbom/
3. Anchore (syft): https://anchore.com/sbom/creating-sbom-attestations-using-syft-and-sigstore/ - uses cosign attach instead of cosign attest for the attestation