Protection of private keys used to digitally sign files to be downloaded to a terminal is accomplished by storing the private keys in smartcards, and arranging a secure processor unit embedded in the smartcard to perform all signing operations requiring access to the keys so that the keys never leave the card. In addition, access to the signing operations is protected by multiple PINs, which may be distributed to multiple individuals and/or used to establish different signing authorization levels associated with different types of files.