Attest support for Singularity images

[tri-adam]

What would you like to be added:

Support for the singularity image source in the syft attest command.

Why is this needed:

Singularity users are able to generate an SBOM from their SIF image using Syft. It's a natural next step for them to want to include the SBOM in an attestation. Although this is possible without support directly in Syft, having it directly included would simplify user workflows.

Additional context:

The behaviour at the moment:

$ syft attest singularity:alpine.sif 
2022/09/02 14:05:50 error during command execution: attest command can only be used with image sources fetch directly from the registry, but discovered an image source of "Singularity" when given "singularity:alpine.sif"

[tri-adam]

As discussed in yesterday's community call, I'm not 100% sure what the workflow(s) should look like here.

SIF is able to store arbitrary data within the image itself, and this may well be the expected behaviour of the average Singularity user. In other words, syft attest image.sif would end up adding the attestation within image.sif.

Leveraging Rekor and/or an OCI registry to store the attestation might also be compelling.