diff --git a/debian/changelog b/debian/changelog
index 6a2a198..6b9e44f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+shim (0.9+1465500757.14a5905-1) unstable; urgency=medium
+
+  * Initial Debian upload.  Closes: #820052.
+  * Update Standards-Version.
+  * Embed the newly-minted Debian CA certificate.
+  * Vendorize debian/rules so that the same package can be used in both
+    Debian and Ubuntu without modification.
+  * Fix debian/copyright to match the spec (last match wins, not first)
+  * Fix shim.efi to not be executable.
+  * Add watchfile.
+  * Support parallel builds, because eh why not
+  * Update Vcs-Bzr.
+
+ -- Steve Langasek <vorlon@debian.org>  Tue, 23 Aug 2016 05:23:42 +0000
+
 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
 
   * New upstream release.
diff --git a/debian/control b/debian/control
index 0f71c7f..25b0b47 100644
--- a/debian/control
+++ b/debian/control
@@ -1,11 +1,10 @@
 Source: shim
 Section: admin
 Priority: optional
-Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
-XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org>
-Standards-Version: 3.9.3
+Maintainer: Steve Langasek <vorlon@debian.org>
+Standards-Version: 3.9.8
 Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl
-Vcs-Bzr: lp:ubuntu/shim
+Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk
 
 Package: shim
 Architecture: amd64
diff --git a/debian/copyright b/debian/copyright
index b25a56d..50dabd2 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -3,24 +3,6 @@ Upstream-Name: shim
 Upstream-Contact: Matthew Garrett <mjg@redhat.com>
 Source: https://github.com/mjg59/shim.git
 
-Files: debian/patches/*
-Copyright: 2016 Canonical Ltd.
-License: GPL-2
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; version 2.
- .
- This package is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- GNU General Public License for more details.
- .
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>
- .
- On Debian systems, the complete text of the GNU General
- Public License can be found in `/usr/share/common-licenses/GPL-2'.
-
 Files: *
 Copyright: 2012 Red Hat, Inc
 	2009-2012 Intel Corporation
@@ -49,3 +31,21 @@ License: BSD-2-Clause
  STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  OF THE POSSIBILITY OF SUCH DAMAGE.
+
+Files: debian/patches/*
+Copyright: 2016 Canonical Ltd.
+License: GPL-2
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License can be found in `/usr/share/common-licenses/GPL-2'.
diff --git a/debian/debian-uefi-ca.der b/debian/debian-uefi-ca.der
new file mode 100644
index 0000000..1dd6ee1
Binary files /dev/null and b/debian/debian-uefi-ca.der differ
diff --git a/debian/rules b/debian/rules
index 28523b5..8ff28a0 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,7 +1,21 @@
 #!/usr/bin/make -f
 
+# Other vendors, add your certs here.  No sense in using
+# dpkg-vendor --derives-from, because only Canonical-generated binaries will
+# be signed with this key; so if you are building your own shim binary you
+# should be building the other binaries also.
+ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
+	cert=debian/canonical-uefi-ca.der
+else
+	cert=debian/debian-uefi-ca.der
+endif
+
 %:
-	dh $@
+	dh $@ --parallel
 
 override_dh_auto_build:
-	dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=debian/canonical-uefi-ca.der
+	dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=$(cert)
+
+override_dh_fixperms:
+	dh_fixperms
+	chmod a-x debian/shim/usr/lib/shim/shim.efi
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index 5be73be..d82be74 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -1 +1,2 @@
 debian/canonical-uefi-ca.der
+debian/debian-uefi-ca.der
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..361d88c
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,5 @@
+# Compulsory line, this is a version 4 file
+version=4
+
+opts="repack,compression=xz,filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/shim-$1\.tar\.gz/" \
+  https://github.com/mjg59/shim/releases .*/v?(\d\S*)\.tar\.gz