Check keyId against actor's public key

index.php

@@ -1555,6 +1555,14 @@ HTML;
 		$userData  = getDataFromURl( $publicKeyURL );
 		$publicKey = $userData["publicKey"]["publicKeyPem"];
 
+		//	Check that the actor's key is the same as the key used to sign the message
+		//	Get the actor's public key
+		$actorData = getDataFromURl( $body["actor"] );
+		$actorPublicKey = $actorData["publicKey"]["publicKeyPem"];
+
+		if ( $publicKey != $actorPublicKey ) {	
+			$verified = false;
+		} else {
 			//	Get the remaining parts
 			$signature = base64_decode( $signatureParts["signature"] );
 			$algorithm = $signatureParts["algorithm"];
@@ -1583,6 +1591,7 @@ HTML;
 			} else {
 				$verified = null;
 			}
+		}
 
 		//	Filename for the log
 		$filename  = "{$timestamp}.{$type}.Signature.". json_encode( $verified ) . ".txt";
@@ -1595,7 +1604,8 @@ HTML;
 			"Calculated signatureString:\n" . print_r( $signatureString, true )  . "\n\n" .
 			"Calculated algorithm:\n"       . print_r( $algorithm, true )        . "\n\n" .
 			"publicKeyURL:\n"               . print_r( $publicKeyURL, true )     . "\n\n" .
-			"publicKey:\n"                  . print_r( $publicKey, true )        . "\n"
+			"publicKey:\n"                  . print_r( $publicKey, true )        . "\n\n" .
+			"actorPublicKey:\n"             . print_r( $actorPublicKey, true )   . "\n"
 		);
 
 		return $verified;