In a fresh install of bookworm with GNOME desktop, the problem of ssh-add -D not removing ed25519 keys still remains in 2023. When investigating this, I noticed that in the default configuration, there are at least FIVE separate SSH agent processes running:
1. gnome-keyring-daemon process (the buggy one), listening to socket /run/user/$UID/keyring/ssh, which $SSH_AUTH_SOCK points by default (at least in a GNOME session). 2. OpenSSH ssh-agent process forked buy the previous process, listening to socket /run/user/$UID/keyring/.ssh, and working normally (if you point $SSH_AUTH_SOCK there). 3. Another OpenSSH ssh-agent process started by ssh-agent.service (shipped by openssh-client package), listening to socket /run/user/$UID/openssh_agent, and working as expected. 4. gcr-ssh-agent process listening to socket /run/user/$UID/gcr/ssh with the same buggy behaviour wrt ed25519 keys. 5. Third OpenSSH ssh-agent process started by the previous process gcr-ssh-agent, listening to socket /run/user/$UID/keyring/.ssh, again working normally, since it's just the standard ssh-agent. ed25519 keys are very common today, so the default configuration should handle them correctly. And what is the point of having multiple copies of the same agent running, when none of them are even used unless the user explicitly change their $SSH_AUTH_SOCK configuration? Please coordinate with all related package maintainers to fix this mess before trixie is released.
