Setting max-cache-ttl 0
in your .gnupg/gpg-agent.conf
file does seem to be a good solution. Especially since it works.
There's also the gpg-agent option --no-allow-external-cache
that's supposed to:
Tell Pinentry not to enable features which use an external cache for passphrases.
Some desktop environments prefer to unlock all credentials with one master pass‐
word and may have installed a Pinentry which employs an additional external cache
to implement such a policy. By using this option the Pinentry is advised not to
make use of such a cache and instead always ask the user for the requested
passphrase.
That sounds like it should always ask for the passphrase, but it does not appear to do that. Or, it only always asks, when an external cache exists.
Or, you could keep letting gpg-agent cache passphrases, but on demand clear them with by sending a SIGHUP
signal (with kill
, killall
, pkill
, etc):
This signal flushes all cached passphrases and if the program has been started
with a configuration file, the configuration file is read again. Only certain
options are honored: quiet, verbose, debug, debug-all, debug-level, debug-pinen‐
try, no-grab, pinentry-program, pinentry-invisible-char, default-cache-ttl, max-
cache-ttl, ignore-cache-for-signing, no-allow-external-cache, allow-emacs-pinen‐
try, no-allow-mark-trusted, disable-scdaemon, and disable-check-own-socket.
scdaemon-program is also supported but due to the current implementation, which
calls the scdaemon only once, it is not of much use unless you manually kill the
scdaemon