diff --git a/monkeysign/gpg.py b/monkeysign/gpg.py
index 8507a4c17fde0fdc17207dfe1f33fb7173430c44..726cf87f6f896faf7215b4822872359d64479220 100644
--- a/monkeysign/gpg.py
+++ b/monkeysign/gpg.py
@@ -431,7 +431,7 @@ class Keyring():
         self.context.expect(proc.stderr, 'GET_LINE keyedit.prompt')
         print >>proc.stdin, 'save'
         self.context.expect(proc.stderr, 'GOT_IT')
-        return proc.wait() == 0
+        return proc.wait() == 0 and self.check_trustdb()
 
     def sign_key(self, pattern, signall = False, local = False):
         """sign a OpenPGP public key
@@ -542,6 +542,16 @@ class Keyring():
             self.context.expect(proc.stderr, 'GOT_IT')
         return proc.wait() == 0
 
+    def check_trustdb(self):
+        """regenerate the trustdb
+
+we run under --no-auto-check-trustdb so we need to call this from time to time ourselves
+"""
+        self.context.call_command(['check-trustdb'])
+        if not self.context.returncode == 0:
+            raise GpgRuntimeError(self.context.returncode, _('check-trustdb failed: %s') % self.context.stderr.split("\n")[-2])
+        return True        
+
 class TempKeyring(Keyring):
     def __init__(self):
         """Override the parent class to generate a temporary GPG home
diff --git a/monkeysign/ui.py b/monkeysign/ui.py
index b19d42da2f6643eeeb1ea5f8bb6ff9b22fe0b72d..e5cd4f56ccd8e47f1e8bbea6bd0134e98e8d2d42 100644
--- a/monkeysign/ui.py
+++ b/monkeysign/ui.py
@@ -273,6 +273,10 @@ work.
 
         keys = self.tmpkeyring.get_keys(self.pattern)
 
+        self.tmpkeyring.context.call_command(['--check-trustdb'])
+        if not self.tmpkeyring.context.returncode == 0:
+            raise GpgRuntimeError(self.context.returncode, _('decryption failed: %s') % self.context.stderr.split("\n")[-2])
+
         self.log(_('found %d keys matching your request') % len(keys))
 
         for key in keys:
@@ -426,10 +430,7 @@ mailto: who to send the mail to (usually similar to recipient, but can be used t
         self.tmpkeyring.import_data(keydata)
         # prepare for email transport
         self.tmpkeyring.context.set_option('armor')
-        # this is necessary because we reimport keys from outside our
-        # keyring, so gpg doesn't trust them anymore
-        # but we know we do, so we ignore the trustdb
-        self.tmpkeyring.context.set_option('trust-model', 'always')
+        self.tmpkeyring.context.set_option('no-auto-check-trustdb')
         # remove UIDs we don't want to send
         self.cleanup_uids()
         # cleanup email addresses
diff --git a/tests/test_ui.py b/tests/test_ui.py
index 220ad86d2c6e23d7c58ea92b1db75774dc76afd1..5ffd94e3f2298642d9810f983f477b2c9f7eecdf 100755
--- a/tests/test_ui.py
+++ b/tests/test_ui.py
@@ -185,6 +185,7 @@ class EmailFactoryTest(BaseTestCase):
         self.assertTrue(self.ui.tmpkeyring.import_data(open(os.path.dirname(__file__) + '/96F47C6A.asc').read()))
         self.assertTrue(self.ui.tmpkeyring.import_data(open(os.path.dirname(__file__) + '/96F47C6A-secret.asc').read()))
 
+        self.ui.tmpkeyring.context.set_option('always-trust')
         self.email = EmailFactory(self.ui.tmpkeyring.export_data(self.pattern), self.pattern, 'Antoine Beaupré <anarcat@orangeseeds.org>', 'nobody@example.com', 'nobody@example.com')
 
     def test_cleanup_uids(self):