diff --git a/debian/changelog b/debian/changelog
index 390f19b..9005e80 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,10 @@ shim-signed (1.31) UNRELEASED; urgency=medium
 
   * update-secureboot-policy: fix error if /var/lib/dkms does not
     exist. Closes: #923718
+  * Separate the helper scripts into a new shim-signed-common package,
+    apart from the actual signed shim binaries so that we can
+    sensibly support co-installability using Multi-Arch.
+    Closes: #928486
 
  -- Steve McIntyre <93sam@debian.org>  Sat, 25 May 2019 02:25:24 +0100
 
diff --git a/debian/control b/debian/control
index d43934d..2e3bb54 100644
--- a/debian/control
+++ b/debian/control
@@ -18,6 +18,7 @@ Vcs-Git: https://salsa.debian.org/efi-team/shim-signed.git
 
 Package: shim-signed
 Architecture: amd64 i386 arm64
+Multi-Arch: same
 Depends: ${misc:Depends},
  grub-efi-amd64-bin [amd64],
  shim-helpers-amd64-signed (>= 1+15+1533136590.3beb971+5) [amd64],
@@ -25,8 +26,7 @@ Depends: ${misc:Depends},
  shim-helpers-i386-signed (>= 1+15+1533136590.3beb971+5) [i386],
  grub-efi-arm64-bin [arm64],
  shim-helpers-arm64-signed (>= 1+15+1533136590.3beb971+5) [arm64],
- grub2-common (>= 2.02+dfsg1-16),
- mokutil
+ grub2-common (>= 2.02+dfsg1-16)
 Recommends: secureboot-db
 Built-Using: shim (= 15+1533136590.3beb971-6)
 Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
@@ -38,3 +38,17 @@ Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
  .
  This package contains the version of the bootloader binary signed by the
  Microsoft UEFI CA.
+
+Package: shim-signed-common
+Multi-Arch: foreign
+Architecture: all
+Depends: ${misc:Depends}, mokutil
+Description: Secure Boot chain-loading bootloader (common helper scripts)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database.  Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+ .
+ This package contains common helper scripts for all versions of the
+ shim-signed package.
diff --git a/debian/lintian-overrides b/debian/lintian-overrides
deleted file mode 100644
index 5ce68fc..0000000
--- a/debian/lintian-overrides
+++ /dev/null
@@ -1 +0,0 @@
-shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy
diff --git a/debian/rules b/debian/rules
index 72354ff..bca8808 100755
--- a/debian/rules
+++ b/debian/rules
@@ -18,14 +18,21 @@ endif
 %:
 	dh $@
 
-docdir := debian/shim-signed/usr/share/doc/shim-signed
+docdir := debian/shim-signed-common/usr/share/doc/shim-signed-common
 
 override_dh_installchangelogs:
-	dh_installchangelogs
+	dh_installchangelogs -p shim-signed-common
 	# Quieten lintian, which otherwise gets confused by our odd version
 	# number.
 	ln $(docdir)/changelog $(docdir)/changelog.Debian
 
+override_dh_installdocs:
+	dh_installdocs -p shim-signed-common
+	dh_installdocs --remaining-packages --link-doc=shim-signed-common
+
+override_dh_installdebconf:
+	dh_installdebconf -p shim-signed-common
+
 override_dh_gencontrol:
 	dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \
 		-Vshim:Version=$(SHIM_VERSION)
diff --git a/debian/shim-signed-common.install b/debian/shim-signed-common.install
new file mode 100644
index 0000000..7c7df5f
--- /dev/null
+++ b/debian/shim-signed-common.install
@@ -0,0 +1,2 @@
+debian/source_shim-signed.py /usr/share/apport/package-hooks/
+update-secureboot-policy /usr/sbin/
diff --git a/debian/shim-signed.links b/debian/shim-signed-common.links
similarity index 100%
rename from debian/shim-signed.links
rename to debian/shim-signed-common.links
diff --git a/debian/shim-signed-common.lintian-overrides b/debian/shim-signed-common.lintian-overrides
new file mode 100644
index 0000000..98a0272
--- /dev/null
+++ b/debian/shim-signed-common.lintian-overrides
@@ -0,0 +1 @@
+shim-signed-common: debconf-is-not-a-registry usr/sbin/update-secureboot-policy
diff --git a/debian/shim-signed.postinst b/debian/shim-signed-common.postinst
similarity index 100%
rename from debian/shim-signed.postinst
rename to debian/shim-signed-common.postinst
diff --git a/debian/shim-signed.install b/debian/shim-signed.install
index e68b5b5..d2a8083 100644
--- a/debian/shim-signed.install
+++ b/debian/shim-signed.install
@@ -1,3 +1 @@
 build/shim*.efi.signed /usr/lib/shim
-debian/source_shim-signed.py /usr/share/apport/package-hooks/
-update-secureboot-policy /usr/sbin/