Over the past few years, npm, PyPI, RubyGems, and Maven Central have implemented attestations to provide build provenance: linking a package to its exact source code and build instructions. Some of these ecosystems also implemented publish/release attestations detailing exactly what files a specific version of a package should contain. These attestations are distributed as Sigstore bundles, so we'll start out by going over enough Sigstore to understand how to verify and get the attestation information from these bundles, the APIs to get these attestations for each ecosystem, and discuss the implementation tradeoffs made by each ecosystem, as well as alternatives for non-programming language ecosystems to consider.