diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 430a2cd..8e9f967 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -56,6 +56,8 @@ jobs:
       - name: Run integration tests
         run: |
             TCTI=swtpm: SKIP_CLEVIS=true cargo test -- --nocapture
+            echo "### Shell integration tests" >&2
+            TCTI=swtpm: SKIP_CLEVIS=true ./tests/integration-test.sh
       - name: Run policy tests
         run: |
             TCTI=swtpm: ./tests/test_policy
diff --git a/src/main.rs b/src/main.rs
index e177125..1676f9e 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -177,7 +177,10 @@ struct ClevisInner {
 }
 
 fn perform_decrypt(input: Vec<u8>) -> Result<()> {
-    let input = String::from_utf8(input).context("Error reading input")?;
+    let input = String::from_utf8(input)
+        .context("Error reading input")?
+        .trim()
+        .to_string();
     let hdr = josekit::jwt::decode_header(&input).context("Error decoding header")?;
     let hdr_clevis = hdr.claim("clevis").context("Error getting clevis claim")?;
     let hdr_clevis: ClevisInner =
diff --git a/tests/integration-test.sh b/tests/integration-test.sh
new file mode 100755
index 0000000..db6ca3d
--- /dev/null
+++ b/tests/integration-test.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+die() {
+    echo "ERROR: ${1}" >&2
+    exit 1
+}
+
+PLAINTEXT=foobar
+jwe="$(echo "${PLAINTEXT}" | ./target/debug/clevis-pin-tpm2 encrypt {})"
+
+dec="$(echo "$jwe" | ./target/debug/clevis-pin-tpm2 decrypt)" \
+    || die "Unable to decrypt JWE passed with newline added"
+
+[ "${dec}" = "${PLAINTEXT}" ] \
+    || die "Decrypted JWE (${dec}) does not match PLAINTEXT (${PLAINTEXT})"