Describe the bug
The man page currently says:

If passphrase is not provided as a command line argument, then behavior depends on whether the khefin is running at a TTY (interactively) or not. If khefin has a TTY, you will be prompted to enter a passphrase. If khefin does not have a TTY, the passphrase will be read on STDIN, without any prompt, until end of file is reached. Note that in this case, any final newline will be included in the passphrase. As such if you are piping a passphrase to khefin, be sure to use printf without a trailing newline, or echo -n.

This is not accurate.

khefin will read to the first newline or EOF, whichever comes first; and it will include the newline in the passphrase. However it will not read beyond a newline. Under the hood fgets is used, and so that behavior is mirrored.

Proposed fix
Supporting authenticator PINs (#28) requires a system for providing both passphrase and PIN, which this behavior permits (one per line).

My intention is to release 0.5.1 with an updated manual, correctly describing this behavior, before releasing 0.6.0 with PIN support and newline truncation (mirroring the interactive behavior). This means that from 0.6.0, you won't be able to use a newline in your passphrase.

This is a particularly unfortunate bug, as it may mean folks are piping in passphrases containing \n and having those truncated. As such I'll publish a Github security advisory for it shortly.