diff -Nru grub2-signed-1.162/debian/changelog grub2-signed-1.166/debian/changelog
--- grub2-signed-1.162/debian/changelog	2021-02-17 23:50:08.000000000 +0000
+++ grub2-signed-1.166/debian/changelog	2021-02-18 01:02:04.000000000 +0000
@@ -1,3 +1,10 @@
+grub2-signed (1.166) hirsute; urgency=medium
+
+  * Add {-bin,-dbg} packages that ship matching modules for the signed EFI
+    apps. LP: #1915536
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Thu, 18 Feb 2021 01:02:04 +0000
+
 grub2-signed (1.162) hirsute; urgency=medium
 
   * Rebuild with correct permissions, and higher version number.
diff -Nru grub2-signed-1.162/debian/control grub2-signed-1.166/debian/control
--- grub2-signed-1.162/debian/control	2021-02-17 23:49:44.000000000 +0000
+++ grub2-signed-1.166/debian/control	2021-02-18 01:02:04.000000000 +0000
@@ -2,14 +2,15 @@
 Section: utils
 Priority: optional
 Maintainer: Colin Watson <cjwatson@ubuntu.com>
-Build-Depends: debhelper-compat (= 12), lsb-release, python3, python3-apt, grub-efi-amd64-bin (>= 2.04-1ubuntu39) [amd64], grub-efi-arm64-bin (>= 2.04-1ubuntu39) [arm64]
+Build-Depends: debhelper-compat (= 12), lsb-release, python3, python3-apt
 Standards-Version: 3.9.5
 Vcs-Browser: https://code.launchpad.net/~ubuntu-core-dev/ubuntu/+source/grub2-signed/+git/grub2-signed/+ref/ubuntu/hirsute-devel
 Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/grub2-signed -b ubuntu/hirsute-devel
+Rules-Requires-Root: no
 
 Package: grub-efi-amd64-signed
 Architecture: amd64
-Depends: ${misc:Depends}, grub-efi-amd64-bin (= ${grub2:Version}), grub-efi-amd64 | grub-pc
+Depends: ${misc:Depends}, grub-efi-amd64-bin, grub-efi-amd64 | grub-pc
 Recommends: secureboot-db
 Built-Using: grub2 (= ${grub2:Version})
 Description: GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)
@@ -25,9 +26,34 @@
  This package contains a version of GRUB built for use with the EFI-AMD64
  architecture, signed with Canonical's UEFI signing key.
 
+Package: grub-efi-amd64-signed-bin
+Architecture: any-amd64
+Depends: ${misc:Depends}
+Replaces: grub-efi-amd64-bin (<< 2.04-1ubuntu41)
+Breaks: grub-efi-amd64-bin (<< 2.04-1ubuntu41)
+Multi-Arch: foreign
+Description: GRand Unified Bootloader, version 2 (EFI-AMD64 signed modules)
+ This package contains GRUB modules that have been built for use with the
+ EFI-AMD64 architecture, as used by Intel Macs (unless a BIOS interface has
+ been activated).  It can be installed in parallel with other flavours, but
+ will not automatically install GRUB as the active boot loader nor
+ automatically update grub.cfg on upgrade unless shim-signed is also
+ installed.
+
+Package: grub-efi-amd64-signed-dbg
+Section: debug
+Architecture: any-amd64
+Depends: ${misc:Depends}, grub-efi-amd64-signed-bin (= ${binary:Version})
+Replaces: grub-efi-amd64-dbg (<< 2.04-1ubuntu41)
+Breaks: grub-efi-amd64-dbg (<< 2.04-1ubuntu41)
+Multi-Arch: foreign
+Description: GRand Unified Bootloader, version 2 (AMD64 UEFI debug files signed)
+ This package contains debugging files for grub-efi-amd64-signed-bin.  You only
+ need these if you are trying to debug GRUB using its GDB stub.
+
 Package: grub-efi-arm64-signed
 Architecture: arm64
-Depends: ${misc:Depends}, grub-efi-arm64 (= ${grub2:Version})
+Depends: ${misc:Depends}, grub-efi-arm64
 Recommends: secureboot-db
 Built-Using: grub2 (= ${grub2:Version})
 Description: GRand Unified Bootloader, version 2 (EFI-ARM64 version, signed)
@@ -42,3 +68,27 @@
  .
  This package contains a version of GRUB built for use with the EFI-ARM64
  architecture, signed with Canonical's UEFI signing key.
+
+Package: grub-efi-arm64-signed-bin
+Architecture: any-arm64
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Replaces: grub-efi-arm64-bin (<< 2.04-1ubuntu41)
+Breaks: grub-efi-arm64-bin (<< 2.04-1ubuntu41)
+Multi-Arch: foreign
+Description: GRand Unified Bootloader, version 2 (EFI-ARM64 signed modules)
+ This package contains GRUB modules that have been built for use with
+ the EFI-ARM64 architecture. It can be installed in parallel with
+ other flavours, but will not automatically install GRUB as the active
+ boot loader nor automatically update grub.cfg on upgrade unless
+ shim-signed is also installed.
+
+Package: grub-efi-arm64-signed-dbg
+Section: debug
+Architecture: any-arm64
+Depends: ${misc:Depends}, grub-efi-arm64-signed-bin (= ${binary:Version})
+Replaces: grub-efi-arm64-dbg (<< 2.04-1ubuntu41)
+Breaks: grub-efi-arm64-dbg (<< 2.04-1ubuntu41)
+Multi-Arch: foreign
+Description: GRand Unified Bootloader, version 2 (ARM64 UEFI debug files signed)
+ This package contains debugging files for grub-efi-arm64-signed.  You only
+ need these if you are trying to debug GRUB using its GDB stub.
diff -Nru grub2-signed-1.162/debian/grub-efi-amd64-signed-bin.install grub2-signed-1.166/debian/grub-efi-amd64-signed-bin.install
--- grub2-signed-1.162/debian/grub-efi-amd64-signed-bin.install	1970-01-01 01:00:00.000000000 +0100
+++ grub2-signed-1.166/debian/grub-efi-amd64-signed-bin.install	2021-02-18 01:02:04.000000000 +0000
@@ -0,0 +1 @@
+*-efi/ usr/lib/grub/
diff -Nru grub2-signed-1.162/debian/grub-efi-amd64-signed-dbg.dirs grub2-signed-1.166/debian/grub-efi-amd64-signed-dbg.dirs
--- grub2-signed-1.162/debian/grub-efi-amd64-signed-dbg.dirs	1970-01-01 01:00:00.000000000 +0100
+++ grub2-signed-1.166/debian/grub-efi-amd64-signed-dbg.dirs	2021-02-18 01:02:04.000000000 +0000
@@ -0,0 +1 @@
+usr/lib/grub/x86_64-efi
diff -Nru grub2-signed-1.162/debian/grub-efi-amd64-signed.install grub2-signed-1.166/debian/grub-efi-amd64-signed.install
--- grub2-signed-1.162/debian/grub-efi-amd64-signed.install	1970-01-01 01:00:00.000000000 +0100
+++ grub2-signed-1.166/debian/grub-efi-amd64-signed.install	2021-02-18 01:02:04.000000000 +0000
@@ -0,0 +1 @@
+*-efi-signed/ usr/lib/grub/
diff -Nru grub2-signed-1.162/debian/grub-efi-arm64-signed-bin.install grub2-signed-1.166/debian/grub-efi-arm64-signed-bin.install
--- grub2-signed-1.162/debian/grub-efi-arm64-signed-bin.install	1970-01-01 01:00:00.000000000 +0100
+++ grub2-signed-1.166/debian/grub-efi-arm64-signed-bin.install	2021-02-18 01:02:04.000000000 +0000
@@ -0,0 +1 @@
+*-efi/ usr/lib/grub/
diff -Nru grub2-signed-1.162/debian/grub-efi-arm64-signed-dbg.dirs grub2-signed-1.166/debian/grub-efi-arm64-signed-dbg.dirs
--- grub2-signed-1.162/debian/grub-efi-arm64-signed-dbg.dirs	1970-01-01 01:00:00.000000000 +0100
+++ grub2-signed-1.166/debian/grub-efi-arm64-signed-dbg.dirs	2021-02-18 01:02:04.000000000 +0000
@@ -0,0 +1 @@
+usr/lib/grub/arm64-efi
diff -Nru grub2-signed-1.162/debian/grub-efi-arm64-signed.install grub2-signed-1.166/debian/grub-efi-arm64-signed.install
--- grub2-signed-1.162/debian/grub-efi-arm64-signed.install	1970-01-01 01:00:00.000000000 +0100
+++ grub2-signed-1.166/debian/grub-efi-arm64-signed.install	2021-02-18 01:02:04.000000000 +0000
@@ -0,0 +1 @@
+*-efi-signed/ usr/lib/grub/
diff -Nru grub2-signed-1.162/debian/rules grub2-signed-1.166/debian/rules
--- grub2-signed-1.162/debian/rules	2021-02-17 23:48:58.000000000 +0000
+++ grub2-signed-1.166/debian/rules	2021-02-18 01:02:04.000000000 +0000
@@ -2,21 +2,26 @@
 
 include /usr/share/dpkg/default.mk
 
+SUITE:=hirsute
+VERSION:=2.04-1ubuntu41
+
 %:
 	dh $@
 
-destdir := debian/grub-efi-$(DEB_HOST_ARCH)-signed
-docdir  := $(destdir)/usr/share/doc/grub-efi-$(DEB_HOST_ARCH)-signed
-
-override_dh_installchangelogs:
-	dh_installchangelogs
-	# Quieten lintian, which otherwise gets confused by our odd version
-	# number.
-	ln $(docdir)/changelog $(docdir)/changelog.Debian
+override_dh_install:
+	./download-signed grub2-common $(VERSION) grub2 signed $(SUITE)
+	# don't need control
+	rm -rvf $(VERSION)/control
+	# fixup location of unsigned binaries
+	mkdir -p $(VERSION)/*-efi/monolithic
+	mv $(VERSION)/*-efi-signed/*.efi $(VERSION)/*-efi/monolithic
+	dh_install --sourcedir=$(VERSION)
+	# move debug modules into the debug package
+	mv debian/grub-efi-$(DEB_HOST_ARCH)-signed-bin/usr/lib/grub/*/*.module \
+	   debian/grub-efi-$(DEB_HOST_ARCH)-signed-dbg/usr/lib/grub/*/
 
 override_dh_gencontrol:
-	dh_gencontrol -- -v$(DEB_VERSION)+$(shell cat current/version) \
-		-Vgrub2:Version=$(shell cat current/version)
+	dh_gencontrol -- -v$(DEB_VERSION)+$(VERSION) -Vgrub2:Version=$(VERSION)
 
-override_dh_auto_install:
-	dh_auto_install --destdir=$(destdir)
+override_dh_clean:
+	rm -rvf $(VERSION)
diff -Nru grub2-signed-1.162/download-signed grub2-signed-1.166/download-signed
--- grub2-signed-1.162/download-signed	2021-02-17 23:49:44.000000000 +0000
+++ grub2-signed-1.166/download-signed	2021-02-18 01:02:04.000000000 +0000
@@ -35,6 +35,10 @@
     nargs='?',
     default='signed',
     help="subdirectory type in the url, 'signed' or 'uefi'")
+parser.add_argument(
+    "suite",
+    nargs='?',
+    help="force to download from a non-candidate suite")
 args = parser.parse_args()
 
 
@@ -46,7 +50,7 @@
     identify the members and to validate them once downloaded.
     """
 
-    def __init__(self, package_name, package_version, src_package, signed_type='signed'):
+    def __init__(self, package_name, package_version, src_package, signed_type='signed', suite=None):
         self.package_name = package_name
         self.package_version = package_version
         self.src_package = src_package
@@ -57,7 +61,7 @@
         cache = apt.Cache()
 
         self.package = None
-        if self.package_version == "current":
+        if self.package_version == "current" or suite:
             self.package = cache[package_name].candidate
         else:
             for version in cache[package_name].versions:
@@ -70,9 +74,14 @@
 
         origin = self.package.origins[0]
         pool_parsed = urlparse(self.package.uri)
-        self.package_dir = "%s/%s/%s/%s-%s/%s/" % (
-            origin.archive, 'main', signed_type,
-            self.src_package, self.package.architecture, self.package_version)
+        if suite:
+            self.package_dir = "%s/../%s/%s/%s/%s-%s/%s/" % (
+                origin.archive, suite, 'main', signed_type,
+                self.src_package, self.package.architecture, self.package_version)
+        else:
+            self.package_dir = "%s/%s/%s/%s-%s/%s/" % (
+                origin.archive, 'main', signed_type,
+                self.src_package, self.package.architecture, self.package_version)
 
         # Prepare the master url stem and pull out any username/password.  If present
         # replace the default opener with one which offers that password.
diff -Nru grub2-signed-1.162/Makefile grub2-signed-1.166/Makefile
--- grub2-signed-1.162/Makefile	2021-02-04 11:10:15.000000000 +0000
+++ grub2-signed-1.166/Makefile	1970-01-01 01:00:00.000000000 +0100
@@ -1,35 +0,0 @@
-include /usr/share/dpkg/default.mk
-
-PLATFORM := UNKNOWN-PLATFORM
-EFI_NAME := UNKNOWN-EFI-NAME
-
-ifeq ($(DEB_HOST_ARCH),amd64)
-PLATFORM := x86_64-efi
-EFI_NAME := x64
-endif
-
-ifeq ($(DEB_HOST_ARCH),arm64)
-PLATFORM := arm64-efi
-EFI_NAME := aa64
-endif
-
-SIGNED := \
-	current/grub$(EFI_NAME).efi.signed \
-	current/gcd$(EFI_NAME).efi.signed \
-	current/grubnet$(EFI_NAME).efi.signed
-
-all: $(SIGNED)
-
-$(SIGNED):
-	./download-signed grub2-common current grub2 uefi
-
-check:
-	cmp current/grub$(EFI_NAME).efi /usr/lib/grub/$(PLATFORM)/monolithic/grub$(EFI_NAME).efi
-
-install: $(SIGNED)
-	install -d $(DESTDIR)/usr/lib/grub/$(PLATFORM)-signed
-	install -m0644 $(SIGNED) current/version \
-		$(DESTDIR)/usr/lib/grub/$(PLATFORM)-signed/
-
-clean:
-	rm -rf current/