I’m using Yubikeys for SSH authorization, and as you probably know it can work in PGP or PIV mode. Although, I don’t quite like certain things about PIV mode, so I’m typically using it in a PGP mode, and thus I’m using gpg-agent as ssh-agent.

But in some rare occasions I’m using key backed up by file, and when such key is loaded GPG offers you to save it in the gpg storage and sometimes you might need to remove this key :). As you can imagine, normal ssh-add -d isn’t working in such cases (because key is copied), although you still could remove it, and here is how:

$ ssh-add -E sha256 -l
4096 SHA256:bASbtisrybuSCmISZESeaK9Q+OuR/6ZnMpaSA/U8Ux4 slava@slava-ws.local (RSA)

Now let’s connect to GPG agent:

$ gpg-connect-agent
> KEYINFO --ssh-list --ssh-fpr=sha256
S KEYINFO 03FC8FB70D51BB603EC1DCD5435B913261FF472C D - - - P SHA256:bASbtisrybuSCmISZESeaK9Q+OuR/6ZnMpaSA/U8Ux4 - S
OK
> DELETE_KEY 03FC8FB70D51BB603EC1DCD5435B913261FF472C
OK
> /bye

So here, I matched key by the SHA256 fingerprint. Also, when you are using gpg-connect-agent you can use help and help <COMMAND> commands, for example:

> help KEYINFO
# KEYINFO [--[ssh-]list] [--data] [--ssh-fpr[=algo]] [--with-ssh] <keygrip>
#
# Return information about the key specified by the KEYGRIP.  If the
# key is not available GPG_ERR_NOT_FOUND is returned.  If the option
# --list is given the keygrip is ignored and information about all
# available keys are returned.  If --ssh-list is given information
# about all keys listed in the sshcontrol are returned.  With --with-ssh
# information from sshcontrol is always added to the info. Unless --data
# is given, the information is returned as a status line using the format:

I originally found it in gpg mail list and ended up using few times and each time I had to search it, so decided to make this post as memo for me.