force gpg-agent to forget password

gpgconf --reload gpg-agent is one way to force the agent to forget passwords it has cached in memory. Currently (gpg 2.0-2.1) this is [almost] equivalent to pkill -HUP gpg-agent. I say "almost equivalent" since you could, in theory, have more than one agent running and the pkill will try to deliver SIGHUP to all of them.

I use a simple:

echo RELOADAGENT | gpg-connect-agent

Work as a charm.

--

Edited: tested with Debian 10, gpg 2.2.12, libgcrypt 1.8.4

TTL for cache passwords is controlled by gpg-agent's options:

--default-cache-ttl n
  Set the time a cache entry is valid to n seconds.  The default is 600 seconds.

--max-cache-ttl n
  Set  the  maximum time a cache entry is valid to n seconds.  After
  this time a cache entry will be expired even if it has been accessed
  recently.  The default is 2 hours (7200 seconds).

As per a way to control this on-demand, if you are able to trigger a command upon locking your screen, using keychain to handle gpg-agent could be used to execute

keychain --clear --agents gpg

which would kill all managed instances of gpg-agent. But then, you should have a way to execute keychain --agents gpg --eval $gpg upon unlocking your screen. Maybe too much hassle.

This is what worked for me in clearing a single password (i.e. passphrase) - run from the terminal - if you want to clear them all then https://superuser.com/a/1269901/457084 works:

gpg-connect-agent "clear_passphrase --mode=normal <cacheid>" /bye

where <cacheid> is most likely the keygrip available if you execute: gpg --list-keys --with-keygrip:

<path to pubring.kbx>
------------------------------------------------
pub   rsa2048 2017-12-11 [SC] [expires: 2019-12-11]
    <keyid>
    Keygrip = <keygrip>
uid          `<email>

With a bit of help from https://web.archive.org/web/20180528210236/https://demu.red/blog/2016/06/how-to-check-if-your-gpg-key-is-in-cache/