Make signing script re-sign Firmware AU payload, and update rootfs hash.

scripts/image_signing/resign_image.sh

 #!/bin/bash
 
 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Standalone version of cros_resign_image.sh script from
 # chromeos/src/scripts/bin/ for use on signing servers.
 
 # Both the cgpt tool and vbutil_kernel should be in the system path.
 
+# Load common constants and variables.
+. "$(dirname "$0")/common.sh"
+
 # Abort on error
 set -e
 
 # Check arguments
 if [ $# -ne 4 ] ; then
   echo "usage: $0 src_bin dst_bin kernel_datakey kernel_keyblock"
   exit 1
 fi
 
 # Make sure the tools we need are available.
 type -P cgpt &>/dev/null || \
   { echo "cgpt tool not found."; exit 1; }
 type -P vbutil_kernel &>/dev/null || \
   { echo "vbutil_kernel tool not found."; exit 1; }
 
 sector_size=512  # sector size in bytes
 num_sectors_vb=128  # number of sectors in kernel verification blob
 src_bin=$1
 dst_bin=$2
 kernel_datakey=$3
 kernel_keyblock=$4
 
 koffset="$(cgpt show -b -i 2 $1)"
 ksize="$(cgpt show -s -i 2 $1)"
 
 echo "Re-signing image ${src_bin} and outputting ${dst_bin}"
-temp_kimage=$(mktemp)
-trap "rm -f ${temp_kimage}" EXIT
-temp_out_vb=$(mktemp)
-trap "rm -f ${temp_out_vb}" EXIT
+temp_kimage=$(make_temp_file)
+temp_out_vb=$(make_temp_file)
 
 # Grab the kernel image in preparation for resigning
 dd if="${src_bin}" of="${temp_kimage}" skip=$koffset bs=$sector_size \
   count=$ksize
 vbutil_kernel \
   --repack "${temp_out_vb}" \
   --vblockonly \
   --keyblock "${kernel_keyblock}" \
   --signprivate "${kernel_datakey}" \
   --oldblob "${temp_kimage}"
 
 # Create a copy of the input image and put in the new vblock
 cp "${src_bin}" "${dst_bin}"
 dd if="${temp_out_vb}" of="${dst_bin}" seek=$koffset bs=$sector_size \
   count=$num_sectors_vb conv=notrunc
 
 echo "New signed image was output to ${dst_bin}"