diff --git a/debian/changelog b/debian/changelog
index 527e42a7d..837d029db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -15,6 +15,7 @@ linux (4.5-1~exp2) UNRELEASED; urgency=medium
     - debian/control: Add build-dependencies on libssl-dev, openssl
     - debian/copyright: Note that extract-cert and sign-file are under LGPL 2.1
     - linux-kbuild: Add extract-cert and sign-file programs
+    - scripts: Fix X.509 PEM support in sign-file
   * certs: Set SYSTEM_TRUSTED_KEYS to my own personal certificate to support
     initial testing of signed modules
 
diff --git a/debian/patches/bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch b/debian/patches/bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch
new file mode 100644
index 000000000..36990d8f8
--- /dev/null
+++ b/debian/patches/bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch
@@ -0,0 +1,37 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 04 Apr 2016 12:53:35 +0100
+Subject: scripts: Fix X.509 PEM support in sign-file
+
+sign-file originally required the X.509 certificate to be in DER
+format, but now has a fallback to PEM format.  It expects BIO_reset()
+to return 1 on success, but:
+
+       BIO_reset() normally returns 1 for success and 0 or -1 for failure.
+       File BIOs are an exception, they return 0 for success and -1 for
+       failure.
+
+BIO_reset() also prints accumulated error messages, which we don't
+want when we're about to try a fallback, so drain them first.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/scripts/sign-file.c
++++ b/scripts/sign-file.c
+@@ -229,10 +229,14 @@ int main(int argc, char **argv)
+ 	ERR(!b, "%s", x509_name);
+ 	x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */
+ 	if (!x509) {
+-		ERR(BIO_reset(b) != 1, "%s", x509_name);
++		/*
++		 * We want to hold onto the error messages in case
++		 * it's neither valid DER or PEM, but BIO_reset() will
++		 * print them immediately so we can't.
++		 */
++		drain_openssl_errors();
++		ERR(BIO_reset(b) != 0, "%s", x509_name);
+ 		x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */
+-		if (x509)
+-			drain_openssl_errors();
+ 	}
+ 	BIO_free(b);
+ 	ERR(!x509, "%s", x509_name);
diff --git a/debian/patches/series b/debian/patches/series
index 44807c5b5..93f22b348 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -133,3 +133,4 @@ bugfix/all/lockdep-add-missing-macros.patch
 bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
 bugfix/all/power-cpupower-fix-manpages-NAME.patch
 bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch
+bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch