My notification service extension has the com.apple.developer.usernotifications.filtering entitlement and it would appear that this is preventing a contact with an image from either being added or updated, any attempt to do so results in calls to CNContactStore.execute() throwing an CNInvalidRecords error.
If the filtering entitlement is removed then there are no problems and the contact can be added/updated without problem. If the entitlement is present but the contact is added/updated without an image then it is also problem free.
It is specifically adding a contact with an image that cannot be accomplished if the entitlement is present.
I've encountered problems with this entitlement before - for example there are problems attempting to use a CXCallDirectoryManager from within a notification service extension with this extension. Quote from Apple on the call extension issue:
"Because that entitlement can "hide" notifications, its sandbox profile is actually more restrictive than the standard NSE sandbox. That's what's preventing access to CXCallDirectoryManager, not the App ID properties. -Kevin Elliott DTS Engineer, CoreOS/Hardware"
I'd be appreciative if somebody from Apple could comment and confirm if the problems with updating contacts with an image with this entitlement is the same fundamental sandboxing issue? If so, I don't understand why a contact can be added with this entitlement, its only an issue if the contact has an image, does that imply a bug?