The SBOMit specification is a SBOM format independent method for attesting components with additional verification information. These attestation are generated at the time the supply chain was generated.
This verification information, which uses in-toto attestations and layouts, is able to be validated by a party to get a high degree of assurances about the software.