When unlocking the pin of a gnu smartcard in a gemalto usb shelltoken reader, by design it stays unlocked until you power down, remove or reload scdaemon. Whil this might be practical in some use cases, it might be undesired in conjunction with app-admin/pass as entering the pin only once, you can decrypt all passwords in the store.
Steps to Reproduce:
2.enter pin in pinentry
the smartcard stays unlocked for decryption
By default gnupg would clear the pass phrase after a timeout. This doesn't happen with the smartcard in the gemalto usb shelltoken reader.
Created attachment 460404 [details, diff]
add USE smartcard
Created attachment 460406 [details, diff]
reload scdaemon after decrypting a password to clear the pin