diff --git a/lib/keystore.cc b/lib/keystore.cc
index 382a028e83..058ce2013c 100644
--- a/lib/keystore.cc
+++ b/lib/keystore.cc
@@ -96,6 +96,27 @@ static rpmRC write_key_to_disk(rpmPubkey key, string & dir, string & filename, i
     return rc;
 }
 
+rpmRC rpm::check_backends(rpmtxn txn, rpmts ts)
+{
+    rpmRC rc = RPMRC_OK;
+
+    keystore_fs ks_fs = {};
+    keystore_rpmdb ks_rpmdb = {};
+    keystore_openpgp_cert_d ks_opengpg = {};
+
+    for (keystore *ks : std::vector<keystore*> {&ks_fs, &ks_rpmdb, &ks_opengpg}) {
+	if (ks->name == ts->keystore->name)
+	    continue;
+	rpmKeyring keyring = rpmKeyringNew();
+	ks->load_keys(txn, keyring);
+	if (rpmKeyringSize(keyring, 0)) {
+	    rpmlog(RPMLOG_WARNING, _("there are public keys in the %s backend which is not the one configured (%s)\n"), ks->name.c_str(), ts->keystore->name.c_str());
+	    rc = RPMRC_FAIL;
+	}
+	rpmKeyringFree(keyring);
+    }
+    return rc;
+}
 
 /*****************************************************************************/
 
diff --git a/lib/keystore.hh b/lib/keystore.hh
index af7be1517e..7c9ca90b83 100644
--- a/lib/keystore.hh
+++ b/lib/keystore.hh
@@ -8,6 +8,8 @@
 
 namespace rpm {
 
+rpmRC check_backends(rpmtxn txn, rpmts ts);
+
 class keystore {
 public:
     const std::string name;
diff --git a/lib/rpmts.cc b/lib/rpmts.cc
index 20ecab4c25..5d65de830b 100644
--- a/lib/rpmts.cc
+++ b/lib/rpmts.cc
@@ -299,6 +299,7 @@ static void loadKeyring(rpmts ts)
 	rpmtxn txn = rpmtxnBegin(ts, RPMTXN_READ);
 	if (txn) {
 	    ts->keystore->load_keys(txn, ts->keyring);
+	    check_backends(txn, ts);
 	    rpmtxnEnd(txn);
 	}
     }
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
index 5731525af2..b7c9c80a33 100644
--- a/tests/rpmsigdig.at
+++ b/tests/rpmsigdig.at
@@ -1960,3 +1960,29 @@ rpm -qp --qf "[%{filenames}:%{filesignatures}\n]" hello-2.0-1.x86_64-badima.rpm
 ],
 [])
 RPMTEST_CLEANUP
+
+RPMTEST_SETUP([keyring check keystores])
+AT_KEYWORDS([rpmkeys signature])
+RPMTEST_INIT
+
+runroot rpmkeys \
+        --define "_keyring rpmdb" \
+        --import /data/keys/rpm.org-rsa-2048-add-subkey.asc
+runroot rpmkeys \
+        --define "_keyring fs" \
+        --import /data/keys/alice.asc
+
+RPMTEST_CHECK([[
+runroot rpmkeys --define "_keyring rpmdb" --list
+echo "==============================================="
+runroot rpmkeys --define "_keyring rpmdb" -Kv /data/RPMS/hello-2.0-1.x86_64-signed-with-new-subkey.rpm | grep "Header OpenPGP"
+]],
+[0],
+[771b18d3d7baa28734333c424344591e1964c5fc rpm.org RSA testkey <rsa@rpm.org> public key
+===============================================
+    Header OpenPGP V4 EdDSA/SHA512 signature, key fingerprint: 771b18d3d7baa28734333c424344591e1964c5fc: OK
+],
+[warning: there are public keys in the fs backend which is not the one configured (rpmdb)
+warning: there are public keys in the fs backend which is not the one configured (rpmdb)
+])
+RPMTEST_CLEANUP