Hi there,
Your download page lists the SHA256 checksums of the tarballs to let users verify the integrity of the downloaded file(s). To address a different threat model and offer integrity verification of cryptographic quality [0], please also consider signing your git tags (with ‘git tag --sign’), and/or provide detached cryptographic signatures for the future release tarballs.
As far as Debian is concerned a detached OpenPGP signature would be preferable since our packaging tools can automatically download tarballs and cryptographically verify their integrity in one go. Assuming you have an OpenPGP key [1], an ASCII armored (.asc) detached signature can be generated with
gpg --armor --detach-sign /path/to/roundcubemail-x.y.z.tar.gz
Completely unrelated, please note that the “1.1.3 — Dependent” tarball includes moxieplayer.swf, while the last mention of moxieplayer in your changelog says “TinyMCE security issue: removed moxieplayer (embedding flv and mp4 is not supported anymore)”. Was it re-added by mistake? (Anyway that file is violates the DFSG and will be removed from the upcoming 1.1.3 Debian packages.)
Thanks! Cheers,