I would like to be able to sign pdf file multiple times using itext. But I don’t have private keys. I am generating a hash for a client to sign and after I get it back signed, I call signDeferred(). Is it possible to make more than one empty container, generate a hash with all the empty containers and then add signatures as they come?
I tried adding more than 1 empty container, generating a hash, client signs and returns hash, I try to add but I get error that it is not the last field. You can only call signDeferred on last field. But I am not sure how to fix it since the signDetached is not an option because I don’t have private key.
No, that’s not possible, at least not for interoperable PDF signatures.
The reason is that there is no real parallel signing (or counter signing) concepts specified for PDFs, there only is a serial signing concept, one signature after the other and each new signature also covering all previous signatures:
(For more details see this answer.)
Strictly speaking the PDF specification does not require a signature to cover all its whole revision except the placeholder for the embedded signature container itself, it only recommends it. Thus, in theory it is possible to create a PDF with multiple signatures each of which covers the whole PDF except all the embedded signature values.
In practice, though, PDF signature validators will reject such constructs. Furthermore, more modern signature profiles (in particular the PAdES baseline profiles) do require a signature to cover all its whole revision except the placeholder for its signature container.