image_signing: rework input/output files and firmware signing

The new nvidia logic expects to have the "real" output filename and not
yet another temp path.  Since sign_firmware.sh supports being passed in
the input as the output and doing in-place signing, just document it and
update the callers.

BUG=chrome-os-partner:44227
BRANCH=None
TEST=signer outputs pubkey.sha to the same location as the output firmware

Change-Id: Iadc5dc5aaace6be9e22ff2c55bfbc58b7e1b3ef0
Reviewed-on: https://chromium-review.googlesource.com/296574
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>

scripts/image_signing/sign_firmware.sh

@@ -21,6 +21,7 @@ Usage: $0 <input_firmware> <key_dir> <output_firmware> [firmware_version] \
 
 Signs <input_firmware> with keys in <key_dir>, setting firmware version
 to <firmware_version>. Outputs signed firmware to <output_firmware>.
+The <input_firmware> and <output_firmware> paths may be the same.
 If no firmware version is specified, it is set as 1.
 EOF
   exit 1

scripts/image_signing/sign_official_build.sh

@@ -442,15 +442,10 @@ sign_firmware() {
   local firmware_version=$3
   local loem_output_dir=${4:-}
 
-  local temp_firmware=$(make_temp_file)
   # Resign the firmware with new keys, also replacing the root and recovery
   # public keys in the GBB.
-  "${SCRIPT_DIR}/sign_firmware.sh" "${image}" "${key_dir}" "${temp_firmware}" \
+  "${SCRIPT_DIR}/sign_firmware.sh" "${image}" "${key_dir}" "${image}" \
     "${firmware_version}" "${loem_output_dir}"
-  # Note: Although sign_firmware.sh may correctly handle specifying the same
-  # output file as the input file, we do not want to rely on it correctly
-  # handing that. Hence, the use of a temporary file.
-  mv ${temp_firmware} ${image}
   echo "Signed firmware image output to ${image}"
 }