diff --git a/debian/changelog b/debian/changelog
index fa73d1d..b9315bb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ shim (15+1533136590.3beb971-3) UNRELEASED; urgency=medium
   * debian/rules: fixing permissions no longer required
   * debian/rules: Disable ephemeral key on Debian.
   * Rename binary package to 'shim-unsigned'
+  * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
 
  -- Luca Boccassi <bluca@debian.org>  Fri, 15 Feb 2019 19:50:10 +0000
 
diff --git a/debian/control b/debian/control
index 58538d5..bbf0abb 100644
--- a/debian/control
+++ b/debian/control
@@ -18,3 +18,24 @@ Description: boot loader to chain-load signed boot loaders under Secure Boot
  against a built-in signature database.  Its purpose is to allow a small,
  infrequently-changing binary to be signed by the UEFI CA, while allowing
  an OS distributor to revision their main bootloader independently of the CA.
+
+Package: shim-amd64-signed-template
+Architecture: amd64
+Depends: ${misc:Depends},
+Description: boot loader to chain-load signed boot loaders (signing template)
+ This package contains template files for shim-amd64-signed.
+ This is only needed for Secure Boot singing.
+
+Package: shim-i386-signed-template
+Architecture: i386
+Depends: ${misc:Depends},
+Description: boot loader to chain-load signed boot loaders (signing template)
+ This package contains template files for shim-i386-signed.
+ This is only needed for Secure Boot singing.
+
+Package: shim-arm64-signed-template
+Architecture: arm64
+Depends: ${misc:Depends},
+Description: boot loader to chain-load signed boot loaders (signing template)
+ This package contains template files for shim-arm64-signed.
+ This is only needed for Secure Boot singing.
diff --git a/debian/rules b/debian/rules
index 39cab2d..ffd43e0 100755
--- a/debian/rules
+++ b/debian/rules
@@ -46,3 +46,4 @@ override_dh_auto_build:
 
 override_dh_auto_install:
 	dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS)
+	./debian/signing-template.generate
diff --git a/debian/signing-template.generate b/debian/signing-template.generate
new file mode 100755
index 0000000..cc842c1
--- /dev/null
+++ b/debian/signing-template.generate
@@ -0,0 +1,41 @@
+#!/bin/sh
+set -e -u
+
+distribution="$(dpkg-parsechangelog -S Distribution)"
+urgency="$(dpkg-parsechangelog -S Urgency)"
+date="$(dpkg-parsechangelog -S Date)"
+version_binary="$(dpkg-parsechangelog -S Version)"
+version_mangled="$(dpkg-parsechangelog -S Version | tr '-' '+')"
+
+subst () {
+	sed \
+		-e "s/@efi@/${EFI_ARCH}/g" \
+		-e "s/@arch@/${DEB_HOST_ARCH}/g" \
+		-e "s/@version_binary@/${version_binary}/g" \
+		-e "s/@version_mangled@/${version_mangled}/g" \
+		-e "s/@distribution@/${distribution}/g" \
+		-e "s/@urgency@/${urgency}/g" \
+		-e "s/@date@/${date}/g" \
+		"$@"
+}
+
+template='./debian/signing-template'
+pkg_name="shim-${DEB_HOST_ARCH}-signed-template"
+pkg_dir="debian/${pkg_name}/usr/share/code-signing/${pkg_name}"
+pkg_deb="${pkg_dir}/source-template/debian"
+
+install -o 0 -g 0 -m 0755 -d "${pkg_dir}"
+subst < ./debian/signing-template.json.in > "${pkg_dir}/files.json"
+
+find "${template}" -type f -printf '%P\n' |
+while read path
+do
+	src="${template}/${path}"
+	dst="${pkg_deb}/${path}"
+
+	install -o 0 -g 0 -m 0755 -d "${dst%/*}"
+	subst < "${src}" > "${dst%.in}"
+	chmod --reference="${src}" "${dst%.in}"
+done
+
+exit 0
diff --git a/debian/signing-template.json.in b/debian/signing-template.json.in
new file mode 100644
index 0000000..cd4f1a9
--- /dev/null
+++ b/debian/signing-template.json.in
@@ -0,0 +1,6 @@
+{"shim-unsigned": {
+	"files": [
+		{"sig_type": "efi", "file": "usr/lib/shim/fb@efi@.efi"},
+		{"sig_type": "efi", "file": "usr/lib/shim/mm@efi@.efi"}
+	]
+}}
diff --git a/debian/signing-template/README.source b/debian/signing-template/README.source
new file mode 100644
index 0000000..96d94ce
--- /dev/null
+++ b/debian/signing-template/README.source
@@ -0,0 +1,4 @@
+This source package is generated by the Debian signing service from a
+template built by the shim package.  It should never be updated directly.
+
+ -- Philipp Matthias Hahn <pmhahn@debian.org>  Sat, 07 Apr 2018 16:26:11 +0200
diff --git a/debian/signing-template/changelog.in b/debian/signing-template/changelog.in
new file mode 100644
index 0000000..ca666d7
--- /dev/null
+++ b/debian/signing-template/changelog.in
@@ -0,0 +1,11 @@
+shim-@arch@-signed (1+@version_mangled@) @distribution@; urgency=@urgency@
+
+  * Update to shim @version_binary@
+
+ -- Debian signing service <ftpmaster@debian.org>  @date@
+
+shim-@arch@-signed (1) unstable; urgency=medium
+
+  * Add template source package for signing
+
+ -- Philipp Matthias Hahn <pmhahn@debian.org>  Sat, 07 Apr 2018 17:16:27 +0200
diff --git a/debian/signing-template/compat b/debian/signing-template/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/debian/signing-template/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/signing-template/control.in b/debian/signing-template/control.in
new file mode 100644
index 0000000..a352242
--- /dev/null
+++ b/debian/signing-template/control.in
@@ -0,0 +1,25 @@
+Source: shim-@arch@-signed
+Section: admin
+Priority: optional
+Maintainer: Steve Langasek <vorlon@debian.org>
+Standards-Version: 3.9.8
+Build-Depends: debhelper (>= 10.1~),
+ sbsigntool [amd64 arm64 i386],
+ shim-unsigned (= @version_binary@),
+Rules-Requires-Root: no
+
+Package: shim-@arch@-signed
+Architecture: @arch@
+Conflicts: shim (<< 15+1533136590.3beb971-3~),
+Replaces: shim (<< 15+1533136590.3beb971-3~),
+Depends: shim-unsigned (= @version_binary@), ${misc:Depends},
+Built-Using: shim (= @version_binary@)
+Description: boot loader to chain-load signed boot loaders (signed by Debian)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database.  Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+ .
+ This package contains the MOK manager and fall-back manager signed by the
+ Debian UEFI CA to be used by shim-signed.
diff --git a/debian/signing-template/copyright b/debian/signing-template/copyright
new file mode 100644
index 0000000..6d325cb
--- /dev/null
+++ b/debian/signing-template/copyright
@@ -0,0 +1,51 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Comment:
+ This file describes only the shim-signed source package.
+
+Files: debian/signatures/*
+License: public-domain
+ Digital signatures and certificates are presumed not to be
+ copyrightable works, and no copyright is claimed for them.
+Comment:
+ The signatures and certificates in this package cannot be regenerated
+ as-is without the associated private key material, but they can be
+ replaced using alternate private keys.
+
+Files: debian/rules
+Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
+License: GPL-2
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License version 2 as
+ published by the Free Software Foundation.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+ .
+ On Debian systems, the complete text of the GNU General Public
+ License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
+
+Files: debian/*
+Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
+License: GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or (at
+ your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+ .
+ On Debian systems, the complete text of the GNU General Public
+ License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
diff --git a/debian/signing-template/rules b/debian/signing-template/rules
new file mode 100755
index 0000000..a972e7d
--- /dev/null
+++ b/debian/signing-template/rules
@@ -0,0 +1,18 @@
+#!/usr/bin/make -f
+
+SIG_DIR := debian/signatures/shim-unsigned
+
+%:
+	dh $@
+
+override_dh_auto_install:
+	set -e ; \
+	find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \
+	while read sig; do \
+		install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \
+		install -o 0 -g 0 -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
+		sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \
+	done
+
+override_dh_install:
+	dh_install --sourcedir=debian/tmp .
diff --git a/debian/signing-template/source/format b/debian/signing-template/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/signing-template/source/format
@@ -0,0 +1 @@
+3.0 (native)