Error: The downloaded package could not be verified
Turns out the problem was that, for some reason, Casper thought the distribution point didn't need authentication, so the clients executing the policy were trying to connect anonymously to the WebDAV Realm. Instead of getting the DMG they asked for, they were (I imagine) getting a 404 page. Which, naturally, can't be verified as a DMG. I turned on authentication for all the distribution points, and all became right with the world.