I want to block fake users in git commit. That means one user must not be able to change his/her email with someone else. I use gitolite. How can I implement this feature? As I have users' public keys, can I bind their email/name to that public key?

As I have users' public key, can I bind email/name with that public key?

Not natively: Gitolite only works with the user id (as extracted from the http or ssh session and set in a variable GL_USER)

So you need to have that information elsewhere.

What I use is the public keys which are given by the users and stored in the gitolite/keys dir of the gitolite-admin repo.

A public ssh key is composed of 3 parts:

 ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx WhateverYouWant

The last part, after the public key, is a string which can represent what you want.

I demand from the user a key with their email address in it (at the end).
I then setup a VREF (an update hook in gitolite) for all repo, which will validate the user.email seen in the commits with the email extracted from the ~gitolite/.ssh/authorized_keys file.
That file is managed by gitolite, and contains both the user.name and its email (because of the way I expect the users to give me their public key)

 command=="..../gitolite-shell user-id" xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx WhateverYouWant

If any of the email doesn't match the right user name, the VREF hook will reject the push.

My own VREF CHECKID (for a slightly different) purpose, is declare in the gitolite.conf as:

repo    @all
  RW+                            = gitoliteadm
  -     VREF/CHECKID             = @all

I wrote a hook that takes a slightly different approach than the previous answer. You put in an EMAILDOMAIN at the top, and it makes sure that the email address on the commit log equals [the committing user's SSH key file name]@[EMAILDOMAIN].

I tossed this into gitolite-admin/common-hooks so it runs server side on pushes.

#!/bin/bash

EMAILDOMAIN="company.com"

if [[ $2 = 0000000000000000000000000000000000000000 ]] || [[ $3 = 0000000000000000000000000000000000000000 ]]
then
  exit 0
fi

# get name and email from git log
EMAILCMD="git log --format="%ce" $3 -1"
EMAIL=$($EMAILCMD)  
NAMECMD="git log --format="%cn" $3 -1"
NAME=$($NAMECMD)

# environment variable for the gitolite user (the SSH key)
# echo $GL_USER

# compare email with gitolite user
EXPEMAIL="$GL_USER@$EMAILDOMAIN"
if [ "{$EXPEMAIL,,}" != "{$EMAIL,,}" ]
then
  echo "You're committing with the SSH key for '$GL_USER'. That key belongs to $EXPEMAIL."
  echo "  (You've configured your email as $EMAIL)"
  exit 1
fi

# TODO: maybe, if we ever bother installing mail on this box, send an email to some admins if someone is trying to key share

# check the name...
IFS=' ' read -ra NAMEPARTS <<< "${NAME,,}"
PARTCOUNT=0
for PART in "${NAMEPARTS[@]}"
do
  PARTCOUNT=$((PARTCOUNT+1))
done

# make sure it's a full name
if (( "$PARTCOUNT" < 2 ))
then
  echo "You should put in your full name, $NAME."
  echo "If you've really only got one name (like Sting or Madonna), email an admin and we can make an exception for you."
  exit 1
fi

exit 0