For the past several years I've been storing my SSH secret keys on a Yubikey. This requires changing the value of the SSH_AUTH_SOCK environment variable to point to a socket provided by "gpg-agent", which knows how to talk to the Yubikey itself. (See https://jms1.net/yubikey/make-ssh-use-gpg-agent.md for details.)
Part of Catalina's changes made it impossible to prevent the pre-installed "com.openssh.ssh-agent" LaunchAgent from starting before the desktop environment, which means that the environment block inherited by all GUI apps (such as BBEdit) contain an SSH_AUTH_SOCK variable, whose value points to the named pipe which causes launchd to start an ssh-agent process the first time something connects to it.
The "launchctl unload" command which used to work prior to Catalina, it doesn't work at all - it seems they changed the entire syntax of the command. After doing some digging, I found that the following should work...
launchctl disable gui/501/com.openssh.ssh-agent
launchctl stop gui/501/com.openssh.ssh-agentAfter doing this, "launchctl print-disabled gui/501" does show "com.openssh.ssh-agent" on the list of disabled services, however something in the Catalina boot process is forcibly removing it from the list.
Is it possible, under Catalina, to prevent this LaunchAgent from starting?