gnome-keyring SSH Certificates broken with Gnome Keyring

[JT Olds <jtolds xnet5 com>]

Hello friends!

I am a heavy user of the *relatively* recent SSH key certificate feature (it's over 5 years old). If you aren't familiar with it (many aren't), you can create an SSH key certificate authority, have hosts and clients trust that certificate authority (and not individual keys), and then use signed certs to SSH to different hosts.

In particular, in my ~/.ssh folder, I have "id_rsa", "id_rsa.pub", and "id_rsa-cert.pub". If I add this key with the standard openssh ssh-agent, I get

  Identity added: /home/jt/.ssh/id_rsa (/home/jt/.ssh/id_rsa)

  Certificate added: /home/jt/.ssh/id_rsa-cert.pub (hello jtolds com)

If I run ssh-add -l, I get

  2048 SHA256:PXmGXIJ4vFwgIH...FgCFeWSYU /home/jt/.ssh/id_rsa (RSA)

  2048 SHA256:PXmGXIJ4vFwg...yPb22vDFgCFeWSYU /home/jt/.ssh/id_rsa (RSA-CERT)

Without adding my public key to any host, as long as the target host trusts the certificate authority that gave me RSA-CERT, I can connect.

Gnome Keyring doesn't work with this at all. It totally ignores the cert file, and I can't get it added. I also seem to have lost the ability to disable Gnome Keyring from being my SSH agent. I can't find anything in Gnome settings or dconf to disable it.

This is super frustrating. Ideally, Gnome Keyring supports SSH certs, but enough for me would be to figure out how to disable Gnome Keyring with Gnome 3.22 (Debian Stretch).

Any help? Seahorse used to have this problem and uninstalling it would work, but it appears I can't uninstall Gnome Keyring without breaking a bunch of other things now. Where should I file a bug report?

Thanks!