What are supply chain attestations and why are you hearing more about them? Attestations are the underlying metadata building blocks from which we can build up supply chain security, in a flexible way, building up more detailed layers of security over time. They can be used as components of an SBOM, to show evidence of how something was built as in TestifySec's Witness project, or that expected processes were followed. They can also be used to support different kinds of policy, especially zero trust. This talk will cover an introduction to attestations, explain their use cases and importance, how they relate to and enhance signatures and JWTs, how to verify and validate them, and about in-toto layouts and policies. It will talk about the addition of in-toto attestations to the Buildkit open source project that powers Docker build, and what this enables you to do, and attestations in Docker Official Images. We will also cover current and future work we are doing on attestations, verification and zero trust.