Don't forget to umount rootfs in case we bail on firmware re-signing.

scripts/image_signing/sign_official_build.sh

 #!/bin/bash
 
 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Sign the final build image using the "official" keys.
 #
 # Prerequisite tools needed in the system path:
 #
@@ skipping 107 matching lines @@
 # Args: IMAGE KEYBLOCK PRIVATEKEY
 update_rootfs_hash() {
   echo "Recalculating rootfs"
   local image=$1  # Input image.
   local keyblock=$2  # Keyblock for re-generating signed kernel partition
   local signprivate=$3  # Private key to use for signing.
 
   local rootfs_image=$(make_temp_file)
   extract_image_partition ${image} 3 ${rootfs_image}
   local kernel_config=$(grab_kernel_config "${image}")
+  echo "got: $kernel_config"
   local hash_image=$(make_temp_file)
 
   local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \
     "${kernel_config}" "${hash_image}")
+  echo "changing to: $new_kernel_config"
 
   local rootfs_blocks=$(sudo dumpe2fs "${rootfs_image}" 2> /dev/null |
     grep "Block count" |
     tr -d ' ' |
     cut -f2 -d:)
   local rootfs_sectors=$((rootfs_blocks * 8))
+  echo "rootfs sectors = $rootfs_blocks"
 
   # Overwrite the appended hashes in the rootfs
   local temp_config=$(make_temp_file)
   echo ${new_kernel_config} >${temp_config}
   dd if=${hash_image} of=${rootfs_image} bs=512 \
     seek=${rootfs_sectors} conv=notrunc
 
   local temp_kimage=$(make_temp_file)
   extract_image_partition ${image} 2 ${temp_kimage}
   # Re-calculate kernel partition signature and command line.
@@ skipping 23 matching lines @@
 }
 
 # Re-sign the firmware AU payload inside the image rootfs with a new keys.
 # Args: IMAGE
 resign_firmware_payload() {
   local image=$1
 
   # Grab firmware image from the autoupdate shellball.
   local rootfs_dir=$(make_temp_dir)
   mount_image_partition ${image} 3 ${rootfs_dir}
-
+  # Force unmount of the rootfs on function exit as it is needed later.
+  trap "sudo umount -d ${rootfs_dir}" RETURN
+  
   local shellball_dir=$(make_temp_dir)
   # get_firmwarebin_from_shellball can fail if the image has no 
   # firmware update.
   get_firmwarebin_from_shellball \
     ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate ${shellball_dir} || \
     { echo "Didn't find a firmware update. Not signing firmware."
     return; }
   echo "Found a valid firmware update shellball."
 
   temp_outfd=$(make_temp_file)
@@ skipping 28 matching lines @@
   # Re-generate firmware_update.tgz and copy over encoded archive in
   # the original shell ball.
   new_fwblob=$(make_temp_file)
   tar zcf - -C ${shellball_dir} . | \
     uuencode firmware_package.tgz > ${new_fwblob}
   new_shellball=$(make_temp_file)
   cat ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate | \
     sed -e '/^begin .*firmware_package/,/end/D' | \
     cat - ${new_fwblob} >${new_shellball}
   sudo cp ${new_shellball} ${rootfs_dir}/usr/sbin/chromeos-firmwareupdate
-  # Force unmount of the image as it is needed later.
-  sudo umount -d ${rootfs_dir}
   echo "Re-signed firmware AU payload in $image"
 }
 
 # Verify an image including rootfs hash using the specified keys.
 verify_image() {
   local kernel_config=$(grab_kernel_config ${INPUT_IMAGE})
+  echo "got $kernel_config"
   local rootfs_image=$(make_temp_file)
   extract_image_partition ${INPUT_IMAGE} 3 ${rootfs_image}
   local hash_image=$(make_temp_file)
   local type=""
 
 
   # First, perform RootFS verification
   echo "Verifying RootFS hash..."
   local new_kernel_config=$(calculate_rootfs_hash "${rootfs_image}" \
     "${kernel_config}" "${hash_image}")
@@ skipping 101 matching lines @@
 elif [ "${TYPE}" == "install" ]; then
   resign_firmware_payload ${INPUT_IMAGE}
   update_rootfs_hash ${INPUT_IMAGE} \
     ${KEY_DIR}/installer_kernel.keyblock \
     ${KEY_DIR}/recovery_kernel_data_key.vbprivk
   sign_for_factory_install
 else
   echo "Invalid type ${TYPE}"
   exit 1
 fi