diff --git a/build_image b/build_image
index 1361315b48..e308099253 100755
--- a/build_image
+++ b/build_image
@@ -34,6 +34,8 @@ DEFINE_string group "${DEFAULT_GROUP}" \
   "The update group."
 DEFINE_boolean generate_update "${FLAGS_FALSE}" \
   "Generate update payload. (prod only)"
+DEFINE_boolean extract_update "${FLAGS_TRUE}" \
+  "Extract the /usr partition for generating updates."
 DEFINE_string developer_data "" \
   "Insert a custom cloudinit file into the image."
 
@@ -151,6 +153,9 @@ fi
 
 if [[ "${DEV_IMAGE}" -eq 1 ]]; then
   create_dev_image ${COREOS_DEVELOPER_IMAGE_NAME} ${DISK_LAYOUT} ${FLAGS_group}
+  if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then
+    extract_update "${COREOS_DEVELOPER_IMAGE_NAME}" "${DISK_LAYOUT}"
+  fi
 fi
 
 if [[ "${CONTAINER}" -eq 1 ]]; then
@@ -161,6 +166,8 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then
   create_prod_image ${COREOS_PRODUCTION_IMAGE_NAME} ${DISK_LAYOUT} ${FLAGS_group}
   if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then
     generate_update "${COREOS_PRODUCTION_IMAGE_NAME}" ${DISK_LAYOUT}
+  elif [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then
+    extract_update "${COREOS_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
   fi
 fi
 
diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh
index 2a19fa5c11..36ef234eb0 100755
--- a/build_library/build_image_util.sh
+++ b/build_library/build_image_util.sh
@@ -54,6 +54,16 @@ delete_prompt() {
   fi
 }
 
+extract_update() {
+  local image_name="$1"
+  local disk_layout="$2"
+  local update_path="${BUILD_DIR}/${image_name%_image.bin}_update.bin"
+
+  "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout="${disk_layout}" \
+    extract "${BUILD_DIR}/${image_name}" "USR-A" "${update_path}"
+  upload_image "${update_path}"
+}
+
 generate_update() {
   local image_name="$1"
   local disk_layout="$2"
diff --git a/build_library/prod_image_util.sh b/build_library/prod_image_util.sh
index 96b1b5b6da..29b03cf8a2 100755
--- a/build_library/prod_image_util.sh
+++ b/build_library/prod_image_util.sh
@@ -42,6 +42,14 @@ create_prod_image() {
   emerge_to_image "${root_fs_dir}" coreos-base/coreos
   write_packages "${root_fs_dir}" "${BUILD_DIR}/${image_packages}"
 
+  # Assert that if this is supposed to be an official build that the
+  # official update keys have been used.
+  if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
+      grep -q official \
+          "${root_fs_dir}"/var/db/pkg/coreos-base/coreos-au-key-*/USE \
+          || die_notrace "coreos-au-key is missing the 'official' use flag"
+  fi
+
   # clean-ups of things we do not need
   sudo rm ${root_fs_dir}/etc/csh.env
   sudo rm -rf ${root_fs_dir}/var/db/pkg
diff --git a/core_roller_upload b/core_roller_upload
index ddece71ff9..eb04023c97 100755
--- a/core_roller_upload
+++ b/core_roller_upload
@@ -50,7 +50,7 @@ switch_to_strict_mode
 FLAGS_storage="${FLAGS_storage%%/}"
 
 GS_URL="${FLAGS_storage}/${FLAGS_board}/${FLAGS_version}/update.gz"
-HTTP_URL="http://${GS_URL#gs://}"
+HTTP_URL="https://commondatastorage.googleapis.com/${GS_URL#gs://}"
 gsutil cp "${FLAGS_payload}" "${GS_URL}"
 
 rollerctl \
diff --git a/set_official b/set_official
new file mode 100755
index 0000000000..e7695f5e22
--- /dev/null
+++ b/set_official
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Copyright (c) 2014 The CoreOS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+SCRIPT_ROOT=$(dirname $(readlink -f "$0"))
+. "${SCRIPT_ROOT}/common.sh" || exit 1
+
+# Script must run inside the chroot
+restart_in_chroot_if_needed "$@"
+
+assert_not_root_user
+
+DEFINE_string board "${DEFAULT_BOARD}" \
+  "The board to update."
+DEFINE_boolean official ${FLAGS_TRUE} \
+    "Enable (or disable) official key."
+
+# Parse flags
+FLAGS "$@" || exit 1
+eval set -- "${FLAGS_ARGV}"
+switch_to_strict_mode
+
+# set BOARD and BOARD_ROOT
+. "${BUILD_LIBRARY_DIR}/toolchain_util.sh"
+. "${BUILD_LIBRARY_DIR}/board_options.sh"
+
+if [[ ${FLAGS_official} -eq ${FLAGS_TRUE} ]]; then
+    sudo mkdir -p "${BOARD_ROOT}/etc/portage/package.use"
+    sudo_clobber "${BOARD_ROOT}/etc/portage/package.use/official" \
+        <<<"coreos-base/coreos-au-key official"
+else
+    sudo rm -f "${BOARD_ROOT}/etc/portage/package.use/official"
+fi
+
+emerge-${BOARD} -v --quiet-build=y --nospinner coreos-base/coreos-au-key