I am trying to verify the checksum of the artifacts I am downloading from Nexus. I can grab the artifact and download them and check their md5sum or sha1sum, but I need to check this against the actual sum from Nexus so I can verify they are correct.

This is the command I'm using to grab files from Nexus:

curl -v -L -o /mylocation/artifact.war -u 'myuser:mypass' --get 'http://ournexus.com/service/local/artifact/maven/content?g=com.ours.stuff&a=our-service-war&v=LATEST&r=snapshots&p=war'

Via http://nexus.xwiki.org/nexus/nexus-indexer-lucene-plugin/default/docs/path__lucene_search.html, it would appear that I can also search for the sha1 sum, but when I do &sha1 I get nothing extra or sha1=(sum), nothing is pulled up, even if I omit all the above options.

This works, but it goes to a specific war, and we need the latest (obviously):

http://ournexus.com/service/local/repositories/snapshots/content/com/ours/stuff/ourapp/1.0.0-SNAPSHOT/ourapp-1.0.0-20140730.173704-88.war.sha1

Is this possible, am I on the right track?

You can either fetch the file directly or use the Nexus API to retrieve it programmatically.

The following URL:

http://localhost:8081/nexus/service/local/artifact/maven/resolve?g=log4j&a=log4j&v=1.2.9&r=central

Returns the following result:

<artifact-resolution>
  <data>
    <presentLocally>true</presentLocally>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>1.2.9</version>
    <extension>jar</extension>
    <snapshot>false</snapshot>
    <snapshotBuildNumber>0</snapshotBuildNumber>
    <snapshotTimeStamp>0</snapshotTimeStamp>
    <sha1>55856d711ab8b88f8c7b04fd85ff1643ffbfde7c</sha1>
    <repositoryPath>/log4j/log4j/1.2.9/log4j-1.2.9.jar</repositoryPath>
  </data>
</artifact-resolution>

The xmllint command can be used to parse out the sha1 checksum value as follows:

$ curl -s "http://localhost:8081/nexus/service/local/artifact/maven/resolve?g=log4j&a=log4j&v=1.2.9&r=central" | xmllint --xpath "///sha1/text()" -
55856d711ab8b88f8c7b04fd85ff1643ffbfde7c

You can also use the artifact content API to directly get the MD5/SHA1 checksum file by specifying the p (packaging) or e (extension) parameter as jar.md5 or jar.sha1 (or other relevant for your actual packaging).

Example:

$ curl -s 'http://localhost:8081/nexus/service/local/artifact/maven/content?g=log4j&a=log4j&v=1.2.9&r=central&e=jar.sha1'
55856d711ab8b88f8c7b04fd85ff1643ffbfde7c

My preference is to use the extension parameter rather than the packaging as the checksum file is not a real, packaged Maven artifact.