Multiple contract extensions

Question content

I hope to be able touse itext to sign pdf files multiple times. But I don't have the private key. I'm generating a hash for the client to sign, and after re-signing, I call signDeferred(). Is it possible to make multiple empty containers, generate a hash with all empty containers, and then add signatures as they appear?

I tried adding more than 1 empty container, generated the hash, client signed and returned the hash, I tried adding but got the error that it was not the last field. You can only call ​​signDeferred on the last field. But I don't know how to fix it since signDetached is not an option since I don't have the private key.

Workaround

No, this is not possible, at least not for interoperable PDF signatures.

The reason is that there is no real concept of parallel signatures (or counter-signatures) specified for PDF, only the concept of serial signatures, one signature after another, with each new signature also overwriting all previous signatures:

(See this answer for more details.)

Strictly speaking, the PDF specification does not require signatures to cover all entire revisions except for placeholders embedded in the signature container itself, it just recommends it. Therefore, it is theoretically possible to create a PDF with multiple signatures, each covering the entire PDF except for all embedded signature values.

But in practice, the PDF signature validator rejects such constructs. Additionally, more modern signing profiles (particularly the PAdES baseline profile) do require signatures to cover all entire revisions except for signed container placeholders.

The above is the detailed content of Multiple contract extensions. For more information, please follow other related articles on the PHP Chinese website!