Make signing script re-sign Firmware AU payload, and update rootfs hash.

The build signing script will now re-sign the chrome os AU payload in the image rootfs using the new keys. In addition, it will recalculate and update the RootFS hash (in the kernel partition) before re-signing the whole image using the new "official" keys.

BUG=3496, 5264

>>>>>For testing rootfs hash updates

1) Ensure that image was build with the --enable_rootfs_verification flag
2) Mount the root file fs on the input image, and make a minor change to the root fs (e.g. adding a file)
3) Now boot from this image, drop into the shell and look for logs related to dm-bht in the dmesg output.
4) You should see dm-bht complaining about block hash mismatches
    $ dmesg | grep dm
      ..... <dm-bht errors>.......
      <errors of the form "dm-bht: Block hash match failed">

4) Now re-sign the modified image using the sign_official_build script. This will re-calculate and update the rootfs hash.
5) Boot from the re-signed image. Look at dmesg output.
6) You should see NO dm-bht errors.

>>>>>For testing re-signing of firmware payload

Grab the firmware autoupdate shellball from /usr/sbin/chromeos-firmwareupdate in the output image's rootfs partition (number 3). Extract the shellball (--sb_extract flag), and grab the firmware bios.bin from the temporary directory.
   $ bios.bin
   $ vbutil_firmware --verify firmwareA.vblock --signpubkey KEY_DIR/firmware.vbpubk --fv
    [Verification should succeed]
   $ gbb_utility -g bios.bin --rootkey=rootkey --recoverykey=recoverykey
   "rootkey" should be the same as KEY_DIR/root_key.vbpubk
   "recoverykey" should be the same as KEY_DIR/recovery_key.vbpubk

KEY_DIR: Directory containing the keys used to generate the output image.

Review URL:
4 files changed