Gitosis is able to authenticate users based on public/private key pair. It is able to find out which user is currently committing. However, the user name and email is taken from the client's Git configuration ('git config user.name' etc.), which can be set to arbitrary values. Is there any way to associate user names and emails with their public keys and then make Gitosis uses these names and emails as the name and email of the committer?
I do not care if I will use Gitosis or WebDAV or some other alternative to share the repository. It just seems to me that none of the available methods supports this enforcement of using some kind of "correct" user name and email. If there exists some alternative, please tell me about it.
The example update-paranoid hook in Git sources does the following check:
For all new commit or tag objects the committer (or tagger) line within the object must exactly match one of the user.committer values listed in the acl file.
I guess that one can configure Gitosis or Gitolite to do similar check, or you can write your own upate
or pre-receive
hook. In all those cases the push must be done via "smart" transport, one that can use Git. This mean pushing via SSH, or via "smart" HTTP (git-http-backend); it excludes pushing via WebDAV ("dumb" HTTP(S)).
Note that it doesn't make sense to check authorship of commits, as they may come from patches send by email (it is committer that should check them before applying), or from cherry-picking or rebasing.