There is this nice feature from github to show that a git commit is signed using a gpg key.

I followed the following articles:

• https://help.github.com/articles/adding-a-new-gpg-key-to-your-github-account/
• https://help.github.com/articles/signing-commits-using-gpg/

and I'm now able to sign my commits and tags using the command line by default.
(This is also visible/marked as "Verified" in the github repository)

However eclipse refuses to (properly) sign any git commit (with gpg) even if I turn on/off the "sign-off" button. It also doesn't show whether a commit was signed at all.

What am I doing wrong or is eclipse/egit not (yet) able to deal with gpg?

I use the following tools

• Eclipse Mars.1+2
• GPG4Win 2.2.0
• Git 2.8.2

It seems to be a missing feature of EGit, you should probably suggest this enhancement to http://bugs.eclipse.org .

That should be possible with Eclipse 2019-03 (three years later), which includes EGit 5.3.0.

EGit 5.3.0 can sign commits with GPG.

Note: EGit 5.3.0 requires Eclipse Neon (4.6) or better.
So you can test it in your Eclipse, as long as it is Neon or more recent.

The new icon in the upper right will allow you to toggle commit signing on or off.

The default is read from the Git configuration.
If the config option commit.gpgsign is set to true, the button will be selected by default.
The value of user.signingkey will be used to determine the signing key.

• If the value is unset, the email address of the committer will be used to lookup the key.
• If no key can be found a commit will fail.

Keys will be looked up from your GPG keyring (either ~/.gnupg/pubring.kbx or ~/.gnupg/secring.gpg;
on Windows the directory %APPDATA%\gnupg is used—if it exists—instead of ~/.gnupg).

See the following GitHub help pages for help on GPG signing keys:

• Generating a new GPG key
• Telling Git about your signing key
• Associating an email with your GPG key

It seems to be a missing feature of EGit, you should probably suggest this enhancement to http://bugs.eclipse.org .

Update 2022:

Since EGit 5.11 (Eclipse 2021-03) you can

• sign commits with an external GPG installation: https://wiki.eclipse.org/EGit/New_and_Noteworthy/5.11#Using_GPG_to_Sign_Commits_and_Tags
• verify commit signatures in the History view by clicking on a particular commit: https://wiki.eclipse.org/EGit/New_and_Noteworthy/5.11#Verifying_Commit_Signatures
• there is an issue to highlight signed commits in the History view without clicking on a particular commit, like on GitHub: https://bugs.eclipse.org/bugs/show_bug.cgi?id=576307 (Status = NEW at the time of writing)

You can also automatically sign commits when you commit in Eclipse

The following worked for me:

1. Reference your GPG installation in the Eclipse preferences:
2. Update your .gitconfig as follows:

Add your sign key (replace 0150436D9CD488B3, see https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key how to find yours)

git config --global user.signingkey 0150436D9CD488B3

Add your GPG installation (replace the path):

git config --global gpg.program "C:\Program Files\Git\usr\bin\gpg.exe"

Set auto-sign to true:

git config --global commit.gpgsign = true

Now the "Sign Commit" toggle button is toggled by default:

This was bumped to JGit in 2016, with the original request made in 2012 and is still in a New state: https://bugs.eclipse.org/bugs/show_bug.cgi?id=382212. Sadly not much apparent traction on this.

It might be time to consider git 2.34 or above where you can use SSH keys to sign git commits and tags. This has been around since late 2021. Git uses ssh-keygen -Y to sign and verify contents. My team is moving in that direction now that we are all on 2.35.1. We previously used GPG for this purpose.