Make sign_official_build.sh verify perform an additional rootfs sanity check using e2fsck.

scripts/image_signing/sign_official_build.sh

Index: scripts/image_signing/sign_official_build.sh
diff --git a/scripts/image_signing/sign_official_build.sh b/scripts/image_signing/sign_official_build.sh
index f8bf23c78caad27d8fcfdfe788a0e57adc900722..eb07127323e82a3cb867ecfea0ed709e9e3e0989 100755
--- a/scripts/image_signing/sign_official_build.sh
+++ b/scripts/image_signing/sign_official_build.sh
@@ -45,7 +45,7 @@ set -e
 
 # Make sure the tools we need are available.
 for prereqs in gbb_utility vbutil_kernel cgpt dump_kernel_config verity \
-  load_kernel_test dumpe2fs sha1sum;
+  load_kernel_test dumpe2fs sha1sum e2fsck;
 do
   type -P "${prereqs}" &>/dev/null || \
     { echo "${prereqs} tool not found."; exit 1; }
@@ -178,6 +178,20 @@ update_rootfs_hash() {
   replace_image_partition ${image} 3 ${rootfs_image}
 }
 
+# Do a sanity check on the image's rootfs
+# ARGS: Image
+verify_image_rootfs() {
+  local image=$1
+  local rootfs_image=$(make_temp_file)
+  extract_image_partition ${image} 3 ${rootfs_image}
+  # This flips the read-only compatibility flag, so that e2fsck does not
+  # complain about unknown file system capabilities.
+  enable_rw_mount ${rootfs_image}
+  echo "Running e2fsck to check root file system for errors"
+  sudo e2fsck -fn "${rootfs_image}" ||
+    { echo "Root file system has errors!" && exit 1;}
+}
+  
 # Extracts the firmware update binaries from the a firmware update
 # shell ball (generated by src/platform/firmware/pack_firmware.sh)
 # Args: INPUT_SCRIPT OUTPUT_DIR
@@ -306,6 +320,8 @@ EOF
     echo "YES"; } || echo "NO"
   set -e
 
+  verify_image_rootfs "${INPUT_IMAGE}"
+
   # TODO(gauravsh): Check embedded firmware AU signatures.
 }