updates: Add script for enabling the official update signing key.

This script should be called before running build_image when generating
official production images. Images built with official key will not
accept updates signed with the default development signing key.

set_official

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright (c) 2014 The CoreOS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+SCRIPT_ROOT=$(dirname $(readlink -f "$0"))
+. "${SCRIPT_ROOT}/common.sh" || exit 1
+
+# Script must run inside the chroot
+restart_in_chroot_if_needed "$@"
+
+assert_not_root_user
+
+DEFINE_string board "${DEFAULT_BOARD}" \
+  "The board to update."
+DEFINE_boolean official ${FLAGS_TRUE} \
+    "Enable (or disable) official key."
+
+# Parse flags
+FLAGS "$@" || exit 1
+eval set -- "${FLAGS_ARGV}"
+switch_to_strict_mode
+
+# set BOARD and BOARD_ROOT
+. "${BUILD_LIBRARY_DIR}/toolchain_util.sh"
+. "${BUILD_LIBRARY_DIR}/board_options.sh"
+
+if [[ ${FLAGS_official} -eq ${FLAGS_TRUE} ]]; then
+    sudo mkdir -p "${BOARD_ROOT}/etc/portage/package.use"
+    sudo_clobber "${BOARD_ROOT}/etc/portage/package.use/official" \
+        <<<"coreos-base/coreos-au-key official"
+else
+    sudo rm -f "${BOARD_ROOT}/etc/portage/package.use/official"
+fi
+
+emerge-${BOARD} -v --quiet-build=y --nospinner coreos-base/coreos-au-key