When I try to validate the signature gpg tells me:
gpg --verify roundcubemail-1.4.0.tar.gz.asc
gpg: assuming signed data in 'roundcubemail-1.4.0.tar.gz'
gpg: Signature made za 09 nov 2019 21:30:45 CET
gpg: using RSA key 8970E37A698AF775D87D590DC2946A9609CD56B4
gpg: issuer "[hidden email]"
This shows that the signer has the key id:
However according to the website the (short) key ID should be: