^{(This is similar to #13382 except that one started more as what looks like a user error or the OP's misunderstanding of the API so may have been overlooked; see also this August 2022 message on the mailing list)}

Doing MAC with the openssl utility at the moment can be done with:

openssl mac -digest "$digest" -macopt key:"$raw_key" "$mac_name"
openssl mac -digest "$digest" -macopt keyex:"$hex_encoded_key" "$mac_name"

Or variants using openssl dgst -mac/-hmac...

In all those cases, the shared secret key is passed in clear on the command line which on most systems is public information, which makes it impossible to do MAC safely in scripts.

Would it be possible to have a CLI similar to that described at openssl-passphrase-options(1ssl) to pass those secrets in a more secure way?

Maybe some similar -macopt key{pass,env,file,fd,stdin} as in -macopt keyfile:path/to/file as suggested in #13382 (comment) or -macopt keyenv:varname (and -macopt keyexenv:varname) as I suggested on the users mailing list earlier today?

Its possible, yes, but why not just use command substitution here:

openssl mac -digest "$digest" -macopt key:$(cat key.txt) "$mac_name"

Because the result of that command substitution will still show up publicly in the command line.

Its possible, yes, but why not just use command substitution here:

openssl mac -digest "$digest" -macopt key:$(cat key.txt) "$mac_name"

That's the same. The shell still passes the secret in clear in one of openssl's command line arguments (again, which is public information on most systems) to openssl. Only in that case it got the value from the contents of key.txt¹.

There are some dirty non-portable hacks one can use to inject code into openssl that updates argv[] just after the execve(), but users shouldn't have to go there.

^{¹ with all trailing newline characters removed and, since you forgot the quotes around $(...) subject to split+glob; and since you can't pass NUL in arguments to commands, you'd rather use that with keyex than key.}