diff --git a/.gitignore b/.gitignore
index bd036f0..9e83c7e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,8 +6,9 @@ private.pem
 test-key.jwk
 public.pem
 
-# Ignore upstream EFF repo
-https-everywhere/
+# Generated files
+rulesets/default.rulesets
+rulesets/default.rulesets.json
 
 # Byte-compiled / optimized / DLL files
 __pycache__/
diff --git a/scripts/generate-and-sign b/scripts/generate-and-sign
index 63409bb..2839232 100755
--- a/scripts/generate-and-sign
+++ b/scripts/generate-and-sign
@@ -6,44 +6,15 @@
 #
 #   https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md#signing
 #
-set -e
-set -u
-set -o pipefail
-
-
-# We need the upstream repo by EFF for a few select scripts.
-https_everywhere_repo="https-everywhere"
-if [[ ! -d "$https_everywhere_repo" ]]; then
-    echo "Cloning upstream https-everywhere repo for scripts..."
-    echo "WARNING: Can take a long time! ~10m even on fast connections."
-    git clone https://github.com/EFForg/https-everywhere
-else
-    echo "Found https-everywhere repo locally, reusing..."
-fi
+set -euo pipefail
 
 # Generate the SD rulesets
 echo "Generating SecureDrop Onion Name rulesets..."
 python3 sddir.py
 
-# The EFF scripts require paths to be relative, so copy into subdirs.
-echo "Copying SecureDrop Onion Name rulesets ..."
-rm -f "${https_everywhere_repo}/rules/"*.xml
-cp rulesets/*.xml "${https_everywhere_repo}/rules/"
-cp public_release.pem "${https_everywhere_repo}/"
-
-# Switch to upstream subdir, for access to tooling
-pushd "$https_everywhere_repo"
-sd_rules_dir="securedrop-rules"
-rm -rf "$sd_rules_dir"
-mkdir "$sd_rules_dir"
-python3 utils/merge-rulesets.py
+python3 upstream/merge-rulesets.py --source_dir rulesets
 echo "Preparing rulesets for airgapped signature request..."
-./utils/sign-rulesets/async-request.sh public_release.pem "$sd_rules_dir"
-
-# Return to SD ruleset repo root
-popd
-echo "Copying rules to SecureDrop ruleset repo..."
-cp -v "${https_everywhere_repo}/${sd_rules_dir}/"* .
+./upstream/async-request.sh public_release.pem .
 
 echo "Updating index for SecureDrop rules..."
 ./update_index.sh
diff --git a/upstream/async-request.sh b/upstream/async-request.sh
index e63571d..8ad2b80 100755
--- a/upstream/async-request.sh
+++ b/upstream/async-request.sh
@@ -8,7 +8,7 @@ if [ $# -ne 2 ]; then
 fi
 
 
-RULESETS_FILE=rules/default.rulesets
+RULESETS_FILE=rulesets/default.rulesets
 
 SIGNED_SHA256SUM_BASE64=`mktemp /tmp/ruleset-signature.sha256.base64.XXXXXXXX`
 trap 'rm $SIGNED_SHA256SUM_BASE64' EXIT