nix: Upgrade expected Xcode version to 11.1

Also:
- nix: Disable symlink store check
- Add comments to dependabot config file

Signed-off-by: Jakub Sokołowski <jakub@status.im>

.dependabot/config.yml

@@ -2,19 +2,22 @@
 
 version: 1
 update_configs:
+  # Keep build.gradle files up to date, batching pull requests weekly
   - package_manager: "java:gradle"
     directory: "/android"
     update_schedule: "weekly"
     default_reviewers:
-    - jakubgs
+    - "jakubgs"
     allowed_updates:
       - match:
           update_type: "security"
+  # Keep /mobile/js_files/yarn.lock up to date, batching pull requests weekly
   - package_manager: "javascript"
     directory: "/mobile/js_files"
     update_schedule: "weekly"
     default_reviewers:
     - "jakubgs"
+  # Keep /desktop/js_files/yarn.lock up to date, batching pull requests weekly
   - package_manager: "javascript"
     directory: "/desktop/js_files"
     update_schedule: "weekly"

ci/Jenkinsfile.ios

@@ -1,5 +1,5 @@
 pipeline {
-  agent { label 'macos' }
+  agent { label 'macos-xcode-11.1' }
 
   parameters {
     string(
@@ -27,6 +27,7 @@ pipeline {
     LANGUAGE = "en_US.UTF-8"
     TARGET_OS = 'ios'
     NIX_CONF_DIR = "${env.WORKSPACE}/nix"
+    NIX_IGNORE_SYMLINK_STORE = 1 // https://github.com/NixOS/nix/issues/2925#issuecomment-499544039
     FASTLANE_DISABLE_COLORS = 1
     BUNDLE_PATH = "${HOME}/.bundle"
     /* We use EXECUTOR_NUMBER to avoid multiple instances clashing */

ci/Jenkinsfile.macos

@@ -1,5 +1,5 @@
 pipeline {
-  agent { label 'macos' }
+  agent { label 'macos-xcode-11.1' }
 
   parameters {
     string(
@@ -27,6 +27,7 @@ pipeline {
     LANGUAGE = "en_US.UTF-8"
     TARGET_OS = 'macos'
     NIX_CONF_DIR = "${env.WORKSPACE}/nix"
+    NIX_IGNORE_SYMLINK_STORE = 1 // https://github.com/NixOS/nix/issues/2925#issuecomment-499544039
     VERBOSE_LEVEL = '3'
     /* We use EXECUTOR_NUMBER to avoid multiple instances clashing */
     LEIN_HOME         = "/var/tmp/lein-${EXECUTOR_NUMBER}"

nix/mobile/default.nix

@@ -6,7 +6,7 @@ let
 
   platform = callPackage ../platform.nix { inherit target-os; };
   xcodewrapperArgs = {
-    version = "10.2.1";
+    version = "11.1";
   };
   xcodeWrapper = composeXcodeWrapper xcodewrapperArgs;
   androidPlatform = callPackage ./android { inherit config target-os mkShell mkFilter nodejs maven localMavenRepoBuilder projectNodePackage jsbundle; status-go = status-go.android; };

scripts/sign-macos-pkg.sh

@@ -101,9 +101,9 @@ echo -e "\n### Signing object..."
 # If `OBJECT` is a directory, we assume it's an app
 # bundle, otherwise we consider it to be a dmg.
 if [ -d "$OBJECT" ]; then
-  codesign --sign "$DEV_ID" --keychain "$KEYCHAIN" --deep --force --verbose=4 "$OBJECT"
+  codesign --sign "$DEV_ID" --keychain "$KEYCHAIN" --options runtime --deep --force --verbose=4 "$OBJECT"
 else
-  codesign --sign "$DEV_ID" --keychain "$KEYCHAIN" --force --verbose=4 "$OBJECT"
+  codesign --sign "$DEV_ID" --keychain "$KEYCHAIN" --options runtime --force --verbose=4 "$OBJECT"
 fi
 
 echo -e "\n### Verifying signature..."
@@ -113,5 +113,8 @@ echo -e "\n### Assessing Gatekeeper validation..."
 if [ -d "$OBJECT" ]; then
   spctl --assess --type execute --verbose=2 "$OBJECT"
 else
-  spctl --assess --type open --context context:primary-signature --verbose=2 "$OBJECT"
+  echo "WARNING: The 'open' type security assesment is disabled due to lack of 'Notarization'"
+  # Issue: https://github.com/status-im/status-react/pull/9172
+  # Details: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
+  #spctl --assess --type open --context context:primary-signature --verbose=2 "$OBJECT"
 fi