Electronic signature · Ecuador · Free
Sign and verify PDFs for free with your .p12 certificate.
Free for personal use, for everyone in Ecuador. 100% in your browser: your key never leaves your device. No sign-up, no servers. Open source · LOPDP-compliant.
- Free
- AGPL-3.0
- ETSI EN 319 142
- ARCOTEL TSL
- Mozilla Observatory A+
- SSL Labs A+
- LOPDP nativa
How it works
Three steps. Zero trust required.
You don’t need to trust us with your private key because we never ask for it. The entire process happens on your device.
Step 1
Upload your PDF and certificate
Pick the document to sign and your .p12 file. Everything stays in your browser.
Step 2
Place the stamp and sign
Choose where the visible stamp goes (with verification QR). Confirm with your password and the signature is applied locally.
Step 3
Download the signed PDF
Your PDF is signed with PAdES (ETSI international standard). Ready to send to SRI, bank, counterparty, or anyone.
Why it is safe
Designed so you don't have to trust us.
The security of your certificate and your documents rests on verifiable technical choices, not promises.
Zero server
Your private key (.p12) and PDF never leave your browser. Verify it yourself in DevTools paranoia mode.
Verifiably open source
AGPL-3.0, code in 3 public repos, releases signed with Sigstore Cosign + Rekor tlog + SLSA L2 with L3 elements. Reproducible builds on roadmap.
LOPDP by design
We don't collect personal data on the server. Versioned privacy notice, identified data controller, zero retention.
International standards
PAdES (ETSI EN 319 142). NIST SP 800-131A. OWASP ASVS L2/L3. Strict CSP + Trusted Types + COOP/COEP/CORP.
Who it's for
Anyone with an Ecuadorian electronic certificate (.p12).
Professional
Accountants, lawyers, engineers
Sign invoices, contracts, technical reports with your BCE/Security Data certificate from any device, no Java install.
Company
SMBs and HR
Onboarding, employment contracts, addendums, NDAs. Free verification for counterparties receiving signed PDFs.
Public sector
Public servants and contractors
Compatible with FirmaEC desktop. Compatible with SRI, INCOP policies. Useful when you cannot install software.
Citizen
Anyone with cédula + cert
SRI, bank, IESS paperwork. No account, no payment, no waiting for a technician to configure your token.
Compatibility
We recognise 16 of the 17 ECIs accredited by ARCOTEL.
Compatible with certificates from Security Data, Banco Central del Ecuador (BCE), UANATACA, ANF AC, Consejo de la Judicatura (iCert-EC), ArgosData, Datil, Lazzate, Eclipsoft and the rest of the accredited entities. We embed their trust roots (TSL) directly in the app, each verified individually. If your .p12 certificate was issued by any of them, firmar.ec recognises and validates it offline.
- 16
- ECIs with their own root
- 28
- embedded roots
- 100%
- effective coverage
-
ANFAC (ANF AC Ecuador)
Root: ANF High Assurance Ecuador Root CA
-
Eclipsoft
Root: ECLIPSOFT CA Root
-
Datil Media
Root: Datil Autoridad de Certificación
-
Lazzate
Root: Lazzate Root CA · CA1 · CA2
-
Alpha Technologies
Root: Alpha Technologies Root CA
-
AppFirmas
Root: APPFIRMAS Root C1
-
CorpNewBest
Root: AC Raíz CA-1EFN CorpNewBest
-
DarkCam
Root: DarkCam S.A. CA Root
-
FirmaSegura
Root: AC Raíz CA-1 FirmaSegura S.A.S.
-
LetMi Ecuador
Root: LETMI RSA Root C1
-
PrimeCoreLat
Root: Prime Core Root CA1
The 17th, the national Civil Registry, does not operate its own PKI root: its officials sign with BCE and Security Data certificates — already covered. Coverage is complete in practice.
TSL versioned and audited in packages/tsl-ec of the repository (v1.11.0). Every root is verified by SHA-256 fingerprint and refreshed by workflow.
Compliance
International standards and Ecuadorian regulation.
Every decision is mapped to a verifiable standard. Live external audits below.
| Area | Standard |
|---|---|
| PDF signature | ETSI EN 319 142-1 (PAdES B-B / B-T / B-LT / B-LTA) |
| Timestamp | RFC 3161 (sello de tiempo) · ETSI EN 319 122 |
| Crypto suites | NIST SP 800-131A · FIPS 186-5 |
| Path validation | RFC 5280 · NIST SP 800-89 |
| Revocation | OCSP RFC 6960 · CRL RFC 5280 |
| TLS edge | TLS 1.3 (RFC 8446) · BCP 195 |
| Browser hardening | CSP + Trusted Types + COOP/COEP/CORP |
| A11y | WCAG 2.2 AA |
| App security | OWASP ASVS 4.0.3 L2 |
| Supply chain | SLSA L2 (con elementos L3) + Sigstore Cosign + Rekor tlog + CycloneDX 1.6 + SPDX 2.3 |
| Privacy (EC) | LOPDP + Reglamento RO 569 |
| Validity (EC) | LCE 2002-67 (firma electrónica avanzada) |
Live external audits
- Mozilla Observatory A+
- securityheaders.com A+
- SSL Labs A+
- OpenSSF Scorecard
- Lighthouse 100/100/100/100
Open source
Audit the code yourself.
AGPL-3.0. Releases signed with Sigstore Cosign + Rekor transparency log + SLSA L2 with L3 elements (signed per-release provenance). Reproducible builds on roadmap.
-
Official public OSS mirror
github.com/idkmanager/firmar-ecOpen repository
-
Personal portfolio public mirror
github.com/alfonsokuen/firmar-ecOpen repository
-
Primary repository (Gitea)
git.idkmanager.com/alfonso/firmar-ecOpen repository
Sponsors
Who keeps this sustainable
firmar.ec is free and open source. Its development, security audits and infrastructure are sustained by organizations that value technological sovereignty.
Be the first brand to appear here
Your logo on the home page of Ecuador’s open electronic signature, seen by professionals, businesses and public bodies. Direct payment, no intermediaries.
Operated by
firmar.ec is an open-source non-profit project by IDK Manager, a software studio and technical services workshop in Quito, Ecuador. We build and maintain this tool as a contribution to the Ecuadorian digital ecosystem. No charges. No premium tier. No tracking.
Contact: GitHub Issues · Personal data: idkmanager.com · Security: Private advisory